KathyT.73511 (Anthropic Identity) asked a question.
Setting up Entra as an Identity Provider using AMR, not working
We are setting up Entra as an IDP in Okta and we do not want to have the users enroll in Okta's MFA because we want to trust the MFA from Entra. We have turned on "Use standard AMR value format" in Security -General and in the IDP, checked the "Trust Claims from this identity provider".
Other things we tried:
- set up enrollment policy with Google, SMS and OV as optional
- set up the authentication policy to require a "password only", a "possession factor", "1 factor only".
IT works with password only, but all the others loop. Should it be password only because we are trusting Entra MFA? Do we need to set something up on the Entra side?
What am I missing?
Hi @KathyT.73511 (Anthropic Identity) , Thank you for reaching out to the Okta Community!
I haven't found any explicit documentation for this use case, but based on what is discussed here , you might have to make configuration changes on the Entra side to pass the "mfa" AMR value in the token.
But if I'm understanding your use case correctly, you do not require an additional MFA validation on the Okta side.
If you have a policy configured to have the user authenticate against the IDP (Entra) and during the authentication flow the user is redirected to Entra where they leverage password + Entra specific MFA, I would assume on the Okta side a policy configured for
should be enough. The MFA portion of the flow being already satisfied on the Entra side based on conditional access.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added