Hybrid Azure AD Join integration FAQs

Okta offers four types of provisioning:

1. License and Role Management Only

2. Profile Sync

3. User Sync

4. Universal Sync

Of these, only the License and Role Management Only and Profile Sync types are compatible with Azure AD Connect, which is required for Hybrid Azure AD Join. If you want to use Okta provisioning with Hybrid Azure AD, select your provisioning type to either License and Role Management Only or Profile Sync.

The Ctrl+Alt+Del option to reset the password will not work if the machine is not joined to a local domain, that is if it is only joined to Azure AD. In such cases, use an embedded browser session or passwordless flows.

It may happen if the Office 365 app sign on policy in Okta does not include legacy authentication endpoints or custom endpoints. In this case, the login to Okta is passed, but the app sign on policy for Office 365 is denied, which prevents the user from logging in. The exception to this is if the user had successfully logged in on the machine before the policies were changed or enabled.

Yes. Okta supports WS-Trust through the Legacy Endpoint settings in the Office 365 app sign on policy. WS-Trust is the protocol that allows the NTLogin credentials to be passed between Okta as a Federation platform and Active Directory or Azure Active Directory.

You can configure Office 365 app-level sign policy to allow a certain client. See Allow or deny custom clients in Office 365 sign on policy.

This is a known issue if you are using Okta MFA to satisfy Azure AD MFA. See Use Okta MFA for Azure Active Directory.