Hybrid Azure AD Join integration FAQs

How can I use Okta to provision users and manage licensing in Office 365 while using Hybrid Azure AD Join?

Okta offers four types of provisioning:

  1. License and Role Management Only

  2. Profile Sync

  3. User Sync

  4. Universal Sync

Of these, only the License and Role Management Only and Profile Sync types are compatible with Azure AD Connect, which is required for Hybrid Azure AD Join. If you want to use Okta provisioning with Hybrid Azure AD, select your provisioning type to either License and Role Management Only or Profile Sync.

Why do I get an error when using Ctrl+Alt+Del to reset my password?

The Ctrl+Alt+Del option to reset the password won't work if the machine is only joined to Azure AD and isn't joined to a local domain. In such cases, use an embedded browser session or passwordless flows.

Why can't my users sign in to their Windows 10 account using their federated Azure or Okta username?

It may happen if the Office 365 app sign on policy in Okta doesn't include legacy authentication endpoints or custom endpoints. In this case, the login to Okta is passed, but the app sign on policy for Office 365 is denied, which prevents the user from logging in. An exception is when the user successfully logged in to the machine before the policies were changed or enabled.

Does Okta support WS-Trust required for legacy authentication including Windows 10 clients and other devices?

Yes. Okta supports WS-Trust through the Legacy Endpoint settings in the Office 365 app sign on policy. WS-Trust is the protocol that allows the NTLogin credentials to be passed between Okta as a Federation platform and Active Directory or Azure Active Directory.

How can I allow only Windows 10 devices to sign on through the Office 365 app while denying other legacy authentication?

You can configure Office 365 app-level sign policy to allow a certain client. See Allow or deny custom clients in Office 365 sign-on policy.

Why do my users get stuck into an infinite loop when signing in to their Windows 10 devices?

This is a known issue if you're using Okta MFA to satisfy Azure AD MFA. See Use Okta MFA for Azure Active Directory.