Prepare for the migration

Before you can migrate your org from Microsoft Entra ID to Okta, you need to Create a service app in Microsoft Entra ID and Configure Okta Workflows .

Before you begin

• Download the Entra ID Configuration Export and Migration to Okta flows.

• Understand the Microsoft Graph APIs that are used in the migration:

  • List applications
  • List servicePrincipals
  • List appRoleAssignments granted to a service principal
  • List policies

Create a service app in Microsoft Entra ID

Assign API permissions to a service app so you can export app metadata from Microsoft Entra ID to Okta.

Register the app

1. In the Microsoft Entra admin center, go to App registrationsNew registration. The Register an application dialog opens.

   

2. Enter a name for the app and select Accounts in this organizational directory only.

   

3. Click Register.

Add API permissions

1. Go to ManageAPI permissions.

2. Click Add a permission. The Request API permissions dialog opens.

   

3. On the Microsoft APIs tab, select Microsoft Graph.

   

4. Select Application permissions, and then add these permissions to the app:

   • Application.Read.All
   • AppRoleAssignment.ReadWrite.All
   • Policy.Read.All

5. Click Grant admin consent. Admin consent is granted to each of the permissions that you selected in the previous step.

   
   

Create a client secret

1. Go to ManageCertificates & secrets.

2. Select the Client secrets tab and click New client secret. The Add a client secret dialog opens.

   

3. Enter a description and expiration, and then click Add.

4. On the Client secrets tab, copy the secret that appears in the Value column. Store it safely so you can use it later in Okta Workflows.

   

Copy the 0Auth 2.0 token endpoint

1. Go to ManageApp registrations.

2. Click Endpoints.

   

3. Copy the 0Auth 2.0 token endpoint (v2) link. Store it safely so you can use it later in Okta Workflows.

   

Configure Okta Workflows

Complete these steps to configure Okta Workflows for the Microsoft Entra ID migration.

Add the Microsoft Entra ID migration flows template to Okta Workflows

1. Sign in to the Okta Workflows console.

2. Go to the Templates page.

3. Search for and select the Entra ID Configuration Export and Migration to Okta flow.

4. Click Add Template.

5. In the confirmation dialog, click Add Template again. The template is added as a folder in your Workflows environment. If a folder with the same name exists, this action adds a second folder with the same name.

6. On your Workflows home page, click the new folder to view the components of the flow. The folder displays eight flows and two tables.

7. Toggle on each flow.

   

Create an API Connector connection

1. In the Okta Workflows console, click Connections.

2. Click New Connection. The New Connection dialog opens.

   

3. Search for and select the API Connector.

4. Click Create.

5. Enter a name for the connector and set the Auth Type to None.

   

6. Click Create.

Add the API Connector to the Microsoft Entra ID flows

1. In the Okta Workflows, open the folder that contains the Microsoft Entra ID flows.

2. Select a flow.

3. Scroll to the API Connector.

4. Click Choose Connection and select the connection that you created earlier.

   

5. Repeat these steps for each flow.

Set up the Okta Workflows Connection

1. Sign in to the Workflows and Admin Consoles.

2. In the Workflows Console, click Connections.

3. Click New Connection. The New Connection dialog opens.

4. Search for and select the Okta connector.

   

5. In the New Connection window, enter a name and an optional description.

6. In the Admin Console, go to ApplicationsApplications.

7. Search for and select the Okta Workflows OAuth app.

8. Click the Sign On tab and copy the Client ID and Client secret values.

   

9. In the Workflows Console, paste the values that you copied into the Client ID and Client Secret fields.

10. Enter the Okta domain without the https:// (for example, atko.okta.com) in the Domain field.

11. Click the Permissions tab.

12. Select Customize scopes (advanced).

13. Add the following scopes to the connection, and then click Create:

    • okta.apps.manage

    • okta.groups.manage

    • okta.policies.manage

      

Run the export flow

1. In the Workflows Console, open the folder that contains the Microsoft Entra ID export flows.

2. Select the 1.0 Get Entra ID Application Information - Parent Flow.

3. Click Run.

4. Enter the token endpoint, client ID, and client secret values that you copied earlier.

5. Click Run.

6. Select TablesEntraID Application Export Table from the export file folder to view the exported data. The table displays the following information:

   • Application Name: The name of the app.

   • ID: A unique identifier for the app in Microsoft Entra ID.

   • App ID: A unique identifier for the app type in Microsoft Entra ID.

   • Entity ID: A unique identifier for a SAML app.

   • ACS or Redirect URL: For SAML apps, this is the URL where the SAML assertion is posted. For OIDC apps, this is the redirect URL where the auth code is posted.

   • Application Protocol: The app protocol type (SAML or OIDC).

   • Group Assignment: The groups the app is assigned to.

   • Action: Displays Migrate. Okta creates these apps in your org using the app metadata from Microsoft Entra ID.

   • Okta App ID: Leave this blank. The column displays the app ID after the app is created in Okta.

   • Status: Leave this blank. The column displays a status after the flow completes.

Next steps

Migrate Conditional Access policies from Microsoft Entra ID to Okta

Okta sign-on policies

Migrate apps from Microsoft Entra ID to Okta

Configure bookmark apps