Enable requested authn. context
Usage By default WPO365 | LOGIN will set the requested authentication context to false. Checking this option will prevent this.
Please note Some customers have reported that users that are on an AAD joined device will have their MFA claim attached to their primary refresh token, meaning that non-incognito authentication attempts via Edge, or Chrome with the Windows 10 Accounts or Office Online extensions, will supply an authentication type of X509, multifactor. This is problematic because it does not appear that there is an option to include a multifactor designation alongside X509 in the requestedAuthnContext, which in turn means that such an authentication type will not work against an SSO application that specifies an array for requestedAuthnContext. Setting that value to false therefore seems the best thing to do in that case.
Path WP Admin > WPO365 > Single Sign-on
Visit the website https://www.wpo365.com/