Having a frustrating issue we can not seem to find a good solution for. We have been in the process of enabling okta for our entire org, our last and final transition was to enable okta ws-fed for m365, which given the issues we are experiencing unfortunately may require us to scrap this entire project and go back to our old authentication setup.

Coming from Azure AD Connect / Entra Desktop Seamless Single Sign-On the user login workflow worked flawlessly under the following conditions:

Azure/Entra Upon New User Login for First time:

• Edge would automatically login.
• Office Apps Would Automatically Login and Activate (Some GPOs Control the auto-activate function)
• OneDrive would login automatically

Existing Users Logins would persist to these applications with credentials, and the like stored in their FSLogix user profile disk.

Upon Enabling Okta Desktop Single Sign-On

• User does not automatically get logged into edge.
• Outlook will automatically configure, but Office prompts to activate. When hitting the activate button the request properly flows to okta, but this has added user fatigue where there otherwise wasn't any.
• OneDrive does not login automatically. Even after logging in and configuring. If the user logs out of the desktop session upon next login we get a message saying "OneDrive is not signed in" when we proceed through this it will then open an okta screen and login without any prompts. Which is telling me Okta DSSO is taking it over.

Troubleshooting:

• Attempted to enable desktop single sign on via azure ad in conjunction with okta dsso hoping it might make a difference, it does not appear to have any changes on outcome.
• Confirmed all GPO settings for okta dsso are correct. We had all but the intranet site, SPN, and service account in place prior to this change as we needed those enabled for other non-relevant / non-impact services to function correctly.
• Ensured the Sign-In Policy allowing legacy authentication was correctly configured on the Okta Side, which seems to be a must in Hybrid-Join Azure AD Scenarios, which to clarify at present is not the setup we are running.
• Ensured Delegated Authentication Settings, and the like were still properly allowing MFA-less access when accessing from our datacenter IP range our one of our protected office location ip ranges.

Additionally:

• Okta DSSO does not seem to have any issues when we go to the login.mycompany.com page. The credentials pass to the page and the login is seamless, this just does not seem to be carrying over to the other places we need this to function. Like OneDrive, or Edge (automatic login to organization account)

Environment information:

• Server 2019 Enterprise RDSH Farm
• OneDrive is Latest Build at time of this post 24.181.0908.0001
• Office Apps for Enterprise Properly Configured for Shared User and is running semi-annual enterprise channel on 2402 build currently.
• FSLogix Profile Disks (only policy relavent to office is storing the activation information)
• Citrix DaaS VDA Setup
• Office 365 E3 > WS-FED Setup with Okta.
• Desktop Single Sign-On Enabled and can access login.company.com without mfa as expected based on settings in our test case.
• the Windows-Authentication-Provider exception is enabled for legacy auth and at top of list in our sign-in policy for office 365 application.
• No conditional access settings configured on M365 setting.