ITEric
I see the biggest vector for attack from this to be a attacker pretending to me a IT staffer and asking for credentials. MFA makes those creds useless (mostly). I would also recommend as part of the lasagna to make sure you disable the ability for external people to remote control internal users via teams.
No problem for me, then. The only IT staffers are me, myself and I.
On the MFA thing, it has been done in targeted attacks, a portal that looks like Azure AD or Okta (or other SSO provider) so that the user goes there, gets prompted, the answer is then provided to the attacker who then goes to the real logon portal with the OTP.
I have encouraged my users to use Okta Verify so they can accept the push as opposed to using a numeric code. I did for their convenience (I find it convenient), but I guess that also eliminates this risk that you mentioned.
As a side note, we don't use 3rd party SSO, we are pure Azure AD and loving it. From Azure AD Proxy for internal apps, to SAML SSO agreements for external. That plus the protections of Azure AD Security AI for risky sign ins. If your struggling with Okta for some on-prem web apps, check out Azure AD proxy.
I chose a 3rd party to have a SSO portal where users can go, like accountants to log in banks, marketing to Adobe Cloud, VPN to the office, etc. I assumed that you can't do that with Azure without even checking. Can you??