Hello _Rony Gonzales,

Thanks for posting,

You are NOT seeing the Okta MFA because the 'JSON refresh token period' for the Desktop/ Outlook rich client is set by default to somewhere between 14-90 days. It is this that is authenticating the user each time NOT a new authentication call to Okta IdP. O365 caches this and doesn't present it to the Okta IdP for authentication. If there is no authentication or 1FA then we i.e. Okta cannot invoke the 2FA or second factor - does that make sense? So you have 2 (or 3) options to move forward: 

1. Stick with ADAL enabled in your tenant, but reduce the effect of the 'JSON refresh token period' by making a O365 "configurable token lifetimes" change to 'MaxInactiveTime' and 'MaxAgeSingleFactor' properties 
2. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
3. This will affect all user ON and OFF network - they will be asked to go through Okta Authentication more frequently with the Desktop/ Outlook client (although ADAL/ IWA will be used on network)
4. But the effect of your MFA off network policy, will kick in and MFA for Outlook will be seen more often off-network

• Or consider Okta's O365 'Client access policy' enhancement as a way forward 
• configure an "Any Client" or “Desktop application” policy as documented here Office 365 Client Access Policies (Blog) (https://support.okta.com/help/blogdetail?id=a67F0000000L1QlIAK) Office 365 Client Access Policies (Knowledge Article) (https://support.okta.com/help/articles/Knowledge_Article/Getting-Started-with-Office-365-Client-Access-Policies)
• caveat that the "Desktop application" policy needs ADAL disabling which might be an issue, if it is then use one of the other Client access policies -probably "Any Client" rule

• 3rd option - look out for Roadmap 'Device trust' enhancements

Let us know if this helps you.

Daniela Chavarria.

Okta Inc.