I have Okta WS-Federation and provisioning set up on my M365 test domain, and can successfully sign into M365 services and enroll Windows machines into Intune using my test account's Okta credentials.

...however...

Once enrolled, neither my test account's Okta credentials nor original, unfederated M365 credentials can be used to sign into the machine. Here's a full bullet-point list of the current setup:

• Test domain created in M365 tenant
• Test account created on test domain
• M365 WS-Federation of and Provisioning to test domain configured in Okta Preview
• Successfully signed into Office.com using test account
• Succesfully enrolled Windows device into Intune using Okta-federated test account via Autopilot OOBE
• Failed to sign into device using Okta-federated test account credentials.

Here are the remediation steps I've taken:

• Wiped device, removed from Intune, re-enrolled.
• Unassigned and reassigned M365 app for test user, in addition to above.
• Deployed Okta Verify to device via Intune, per https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/ov-install-options-windows.htm
• Manually installed and configured Okta Verify on device post-enrollment.

Naturally, since I've posted this question, the issue persists. Thanks for your help!