Leveraging Okta MFA to Secure Access and Adopt Windows Hello for Business

Today, most users expect to be able to access all their applications on any device, from anywhere they’re working. And as our 2019 Businesses at Work report shows, the most popular app by far is Microsoft Office 365. So how can organizations make it easy for their workforce to access applications securely?

Multi-factor Authentication (MFA) has long been touted as an effective countermeasure against password and identity attacks, and many organizations already look to Okta for enhanced security when accessing apps. Biometrics is one of the newest factors available to increase assurance that the user is who they claim to be. One way that organizations are implementing biometrics is through Windows Hello for Business. Now Okta customers can enroll in Windows Hello for Business with Okta MFA to leverage MFA and Windows 10 security features, without negatively impacting the end-user experience. Read on to learn how.

Seamless authentication experience

While Microsoft Azure Active Directory (Azure AD) offers additional, native, 3rd-party MFA support via Custom Controls, Okta MFA has the ability to seamlessly integrate with federated Office 365 app instances as the Identity Provider (IdP) for Office 365. This seamless experience also extends to other applications and/or services connected to the federated domain.

Two common authentication experience scenarios include use of Okta MFA for step-up challenges in Azure Conditional Access policies, and Windows Hello for Business enrollment. These options give end users the familiar Okta experience, even for step-up authentication. Let’s break down these two common Office 365 integration use cases.

The first use case centers around Azure AD Conditional Access, as organizations may occasionally want to leverage these policies for their Microsoft and O365 apps. (Although Okta has its own adaptive policies, Azure AD Conditional Access may have more visibility into certain Microsoft apps.) But what if you want to use Azure’s policies in O365 applications, but have Okta handle MFA requirements? Okta’s integration allows for this use case too. Admins can set up policies with Azure AD Conditional Access to trigger a step-up authentication in Microsoft apps—through an Okta MFA challenge. For example, let’s say you configured a policy with Azure AD Conditional Access to prompt for MFA when a user moves from a on-network to an off-network zone. While the user has a valid O365 session (i.e., the request would originate from Azure, not through Okta), they can complete the step-up prompt through Okta MFA.

The second common use case involves the enrollment process with Windows Hello for Business. Windows Hello requires Azure MFA for its initial enrollment process. However, for organizations who are already using Okta MFA elsewhere, a second prompt for Azure MFA can be a confusing experience for end users accustomed to completing MFA with Okta. Okta’s integration allows for an Okta-generated claim which states that authentication is verified for passage to Azure AD. As long as the end user successfully signs in with Okta MFA, they can enroll in Windows Hello for Business through the familiar Okta MFA workflow, with a single MFA prompt.

Please note that as of this writing, this feature is available in Early Access; however, it will be enabled by default for all organizations when it becomes Generally Available. In addition, both use cases described above will require Hybrid AAD Join with Okta.

Users, IT admins, Orgs + Okta

Today, many organizations trust Okta to secure their identities and provide secure access from all their devices, to all their applications, anywhere their workforce resides. Through built-in integrations and features, Okta extends security and ease of access to Microsoft O365 apps, through both Windows Hello for Business and Azure AD Conditional Access.

By leveraging this feature, IT admins benefit from less complexity (i.e., fewer support tickets), and organizations benefit by leveraging and extending existing Okta investments. And then there's the most important beneficiary—your ecstatic end users! Now able to log into their apps with a streamlined workflow.


happy end-users

Interested in discovering more ways to keep your admins and users happy? Check out our Okta + Office 365 Are Better Together video.