If we use OKTA for MFA does that cover your requirement for MFA by 10/15?

Question

If we use OKTA for MFA does that cover your requirement for MFA by 10/15?

Cody Cleveland 5

If we use OKTA for MFA does that cover your requirement for MFA to access Azure portal, Entra ID Admin, and Intune by 10/15?

2 answers

Your answer

Answer 1

Raja Pothuraju 24,385 Microsoft External Staff Moderator

Hello @Cody Cleveland,

Thank you for posting your query on Microsoft Q&A.

From your description, I understand that you’re referring to the recent announcement about MFA enforcement, particularly the mandatory multifactor authentication for Azure and other administration portals starting on October 15, 2024. You’re asking whether this enforcement will support third-party MFA providers like OKTA.

If you’re using a third-party MFA provider (OKTA) for second-factor authentication and have configured it through the Conditional Access Custom Controls preview, it will not satisfy the new MFA requirements. To continue using your external solution with Microsoft Entra ID, you should migrate to the External Authentication Methods (EAM) preview.

If your OKTA MFA is already configured through the External Authentication Methods preview, it will support the upcoming MFA enforcement requirements.

You’ll need to verify how your OKTA configuration is set up in your tenant—whether it’s configured through Custom Controls (Preview) or External Authentication Methods (Preview).

Please refer to the screenshot below for guidance on verifying the configuration.

If your OKTA MFA is set up through Custom Controls (Preview), you can find it under Entra ID > Security > Conditional Access > Custom Controls (Preview).

User's image If your OKTA MFA is set up through External Authentication Methods (EAM) Preview, it will be visible under Entra ID > Security > Authentication Methods > Policies > External (Preview).

Please verify your setup. If it’s not configured under the External Authentication Methods blade, refer to the following document for instructions on setting up your MFA, and contact OKTA support for the required details.

Additional Resources:

For more information, please refer to the following articles.

Planning for mandatory multifactor authentication for Azure and other administration portals

Manage an external authentication method in Microsoft Entra ID (Preview)

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Raja Pothuraju 24,385 Reputation points Microsoft External Staff Moderator

2024-08-22T21:03:47.31+00:00

Hello @Cody Cleveland,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Cody Cleveland 5 Reputation points

2024-08-22T21:06:56.6966667+00:00

I need to verify how our OKTA is set-up. I know it is integrated with Entra ID but need to verify the external preview piece. Please keep this open until I do and thanks for the follow-up.
Raja Pothuraju 24,385 Reputation points Microsoft External Staff Moderator

2024-08-26T11:14:13.93+00:00

@Cody Cleveland,

Sure, No problem. Please tag me while commenting.

Waiting for your update.
Miguel Pérez 0 Reputation points

2024-09-02T14:46:45.92+00:00

@Cody Cleveland @Raja Pothuraju Thanks for this question and for the detailed answer. We are facing the same "issue" but in our case, we have the option to add External Methods greyed out. We have our O365/Azure tenant connected to Okta via the O365 native Okta app (with WS-Federation), what would be the alternative here?Thanks a lot for your help. Regards,
Miguel Pérez 0 Reputation points

2024-09-02T14:47:49.98+00:00

@Raja Pothuraju 👆
Raja Pothuraju 24,385 Reputation points Microsoft External Staff Moderator

2024-09-02T20:26:40.4466667+00:00

@Miguel Pérez,

The "Add External Method (Preview)" option will be grayed out if your tenant does not have a Premium P1 or higher license. Please confirm that you have the necessary licenses to use the EAM service.

If you do have the required licenses, this issue may occur if your user account does not have the necessary privileges. Ensure that your account is elevated to at least a Privileged Role Administrator or Global Administrator.

Answer 2

Amit Saini 0

@Raja Pothuraju You only mentioned about "Conditional Access Custom Controls preview" and "External Authentication Methods". What if domain is federated and instead of ADFS, Okta is being used for authentication and MFA. Azure is receiving MFA claim in token. Is this not satisfying new MFA requirements ??

As per this docs https://learn.microsoft.com/en-gb/entra/identity/authentication/concept-mandatory-multifactor-authentication

"If you're using a federated Identity Provider (IdP), such as Active Directory Federation Services, and your MFA provider is integrated directly with this federated IdP, the federated IdP must be configured to send an MFA claim."

Raja Pothuraju 24,385 Reputation points Microsoft External Staff Moderator

2024-09-10T19:27:25.1966667+00:00

Hello @Amit Saini,

In your scenario, as you mentioned, your domain is federated with OKTA, and OKTA is managing MFA. It appears that Azure is receiving an MFA claim in the token, and you'd like to know whether this claim meets the new MFA requirements.

To check if the MFA claim being passed satisfies the new requirements, review the Microsoft Entra Sign-in logs for any sign-in attempt. Look for additional details such as "MFA requirement satisfied by claim provided by external provider." If you see this message, it means that any third-party MFA setup satisfies the new MFA requirements.

Thanks,
Raja Pothuraju.
Amit Saini 0 Reputation points

2024-09-11T09:46:47.7733333+00:00

Thank you @Raja Pothuraju I guess "MFA requirement satisfied by claim provided by external provider." OR "MFA requirement satisfied by claim in the token" both are same thing.

Only issue will be for accounts that are MFA exempted in Okta as Azure doesn't receive any MFA claim for those accounts in token. I don't see any exceptions from MS. Is there a way to make things work in this scenario where no MFA claim being passed in token by external provider ?
Amit Saini 0 Reputation points

2024-09-11T09:52:17.03+00:00

Thank you @Raja Pothuraju I think "MFA requirement satisfied by claim provided by external provider." or "MFA requirement satisfied by claim in the token" are same thing.

Only challenge will be for MFA exempted accounts in Okta as Azure is not receiving any MFA claim for those accounts in token. I don't see any exceptions by MS. Is there a way to make things work in this scenario ?
Raja Pothuraju 24,385 Reputation points Microsoft External Staff Moderator

2024-09-11T11:21:23.04+00:00

Hello @Amit Saini,

The phrases "MFA requirement satisfied by claim provided by external provider" and "MFA requirement satisfied by claim in the token" are essentially referring to the same concept but not completely. I would recommend initiating an interactive sign-in rather than using active sessions. To test this, try logging into any application using an incognito browser, where the user is required to enter their credentials, and then check the sign-in logs in Entra ID.

The "MFA requirement satisfied by claim in the token" occurs when you already have an active session with Entra ID.

As for accounts exempted from MFA, there will be no exceptions with the new MFA enforcement. After October 15th, MFA will be mandatory for users attempting to access the Azure Portal, Entra Portal, or Intune Portal. However, for other applications, MFA will not be mandatory. There will be no MFA requirement if users are accessing other apps.

Thanks,
Raja Pothuraju.

Share via

If we use OKTA for MFA does that cover your requirement for MFA by 10/15?

2 answers

Your answer