As the leading independent provider of enterprise identity, Okta integrates with more than 5000 cloud applications out-of-the-box. These cloud applications are accessible from Internet and hence are regularly targeted by adversaries. Okta’s security team sees countless intrusion attempts across its customer base, including phishing, password spraying, KnockKnock and brute-force attacks. They continuously monitor and rapidly respond to these attacks to protect customer tenants and the Okta service. The most commonly targeted application for these attacks is Office 365, a cloud business productivity service developed by Microsoft.
This document covers the security issues discussed above and provides illustrative guidance on how to configure the Office 365 application with Okta to bridge the gap created by lack of MFA for Office 365. This information is based on internal research performed by the Okta security team and does not constitute a replacement for Okta documentation addressing Office 365 configuration for Okta.