How to force Outlook Office 365 to use modern auth and MFA


I've set up Okta federation with our Office 365 domain and enabled MFA for Okta users but AzureAD still does not force MFA upon login.

I want to enforce MFA for AzureAD users because we are under constant brute force attacks using only user/password on the AzureAD/Graph API. It causes users to be locked out although our entire domain is secured with Okta and MFA.

I disabled basic auth for my account and try opening outlook desktop app but it cannot connect.

Set-CASMailbox -PopEnabled $false -ImapEnabled $false -MAPIEnabled $false

The AzureAD logs show only single factor authentication but Okta is enforcing MFA. I realize now we should have enabled MFA in AzureAD first but I was lost in documentation that really doesnt seem quite clear.

In Okta for my Office 365 app, i've enabled Okta MFA from Azure AD so it passes the tokens to AzureAD and it works for my account when accessing O365 from the web browser but Outlook does not.

Under conditional access for MFA i've selected everything: Browser, Mobile apps and desktop clients, Exchange and Active sync clients and other clients. Also 'Require MFA' is set for this policy. Prior to this, all my access was logged in AzureAD as single factor.

I would greatly appreciate any help with this. We have hundreds of users and I need to enforce MFA for all Office 365 services so the bots cannot lock out our users.

Microsoft Exchange Online
A family of Microsoft email and calendar products.
2,934 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,168 questions
{count} votes