Provide Microsoft admin consent for Okta

Microsoft requires you as an admin to provide consent to allow apps to access users and data in your Microsoft tenant. By granting the consent, you allow the app to access the Microsoft tenant on your behalf. By providing admin consent to Microsoft, you allow Okta to access the Microsoft Graph API on your behalf and use the information provided by Microsoft Office 365.

Which permissions Okta requires and why

Okta requires these permissions for the following:

Okta requires these permissions to authenticate and authorize users into Office 365 apps that use OAuth-based authentication. Some of these apps are Yammer, Dynamics CRM, Teams, and Forms.

Okta requires the following permissions in your Microsoft tenant:

Permission Allows Okta to

User.ReadWrite.All

create, read, update, and delete users.

Group.ReadWrite.All

create, read, update, and delete groups.

GroupMember.ReadWrite.All

add or remove members in a group.

Organization.Read.All

list acquired licenses and remaining seats in a tenant.

Application.Read.All

list the application registrations and service principals in a tenant.

RoleManagement.ReadWrite.Directory

assign directory roles to users, groups, and service principals.

Provide Microsoft admin consent for Okta

You can provide admin consent to Microsoft to allow Okta to access directory data in your Microsoft tenant. Okta needs this consent for provisioning and authenticating users in Office 365.

Info

Note

Only a Global Administrator of the Microsoft tenant can grant these permissions.

Provide Microsoft admin consent for single sign on

  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, check the box for Allow administrator to consent for Advanced API access.
    3. Click Authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Re-authenticate Microsoft admin consent for Okta

You need to re-authenticate the existing Microsoft admin consent for Okta in following cases:

  • If you add a new Office 365 app to the Okta end-user dashboard and that app requires OAuth.
  • If the URL for an Office 365 app changes.
Info

Note

Only a Global Administrator of the Microsoft tenant can grant these permissions.

Re-authenticate Microsoft admin consent for single sign on

  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, click Re-authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Related topics