ColbyH.09214 (Customer) asked a question.
We're working on implementing WS-Federation with our Microsoft tenant. We would like all Microsoft logins to redirect to Okta. I'm able to get this working, but we have Intune laptops and wanted to see if I'm doing things the right way or if anyone has any tips.
Initial setup: We've configured WS-Federation and Okta EAM to satisfy MFA requirements in Entra. I've deployed web sign-in configurations to the test laptops and have that correctly working. Clicking the web sign-in option redirects to Okta login and prompts for MFA. I've also enabled WHfB as alternate backup options to login in case the user doesn't have Internet, as my understanding is Windows will not cache the password from Okta to the device, is that correct?
So users don't have to do MFA every time they login, do I just modify the authentication policy for the app to filter for request.userAgent.contains("Windows-AzureAD-Authentication-Provider") to only require single factor?
Does this setup make sense, or is there a smoother way to accomplish all of this?
Hi @ColbyH.09214 (Customer) , Thank you for reaching out to the Okta Community!
The setup sounds right and implementing the filter is good.
I don't recommend compromising security for the sake of convenience, perhaps implement MFA requirements when not "on_network" .
Maybe run tests for logins and review system logs to confirm policies being applied - just because it works, doesn't mean the intended policies are being applied - you might need to adjust policy/rule priorities.
While not directly related to your question, I've also seen a lot of complains around the use of O365 (mainly Outlook) on mobile devices. Most of the reports are unavoidable due to lack of technical knowledge on the end-user side, but it's still worth checking O365 login impact for current policies on other devices if the org requires/allows users to log into email on mobile devices, just in case.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added