Provide Microsoft admin consent for Okta

Microsoft requires you as an adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. to provide consent to allow apps to access users and data in your Microsoft tenant. By granting the consent, you allow the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to access the Microsoft tenant on your behalf. The extent of this access depends on the permissions requested by the app as well as policies set up on your Microsoft tenant.

By providing admin consent to Microsoft, you allow Okta to access the Microsoft Graph API on your behalf and use the information provided by Microsoft Office 365.

Which permissions Okta requires and why

Okta requires these permissions to authenticate and authorize users into Office 365 apps that use OAuth-based authentication. Some of these apps are Yammer, Dynamics CRM, Teams, and Forms.

For Single Sign-on, Okta requires the following permissions in your Microsoft tenant:

Permission What it means What it does
Directory.ReadWrite.All Read and write directory data Okta can read and write directory data, such as users, groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and apps.
User.ReadWrite.All Read and write all users' full profiles Okta can read and write user profiles, create and delete users, and reset user passwords.
User.Read Sign-in and read user profile Okta can read user profiles.

Provide Microsoft admin consent for Okta

You can provide admin consent to Microsoft to allow Okta to access directory data in your Microsoft tenant. Okta needs this consent for provisioning and authenticating users in Office 365.

Note

Only a Global Administrator of the Microsoft tenant can grant these permissions.

  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, check the box for Allow administrator to consent for Advanced API access.
    3. Click Authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. page.
  3. In Okta,
    1. Save the settings.

Re-authenticate Microsoft admin consent for Okta

You need to re-authenticate the existing Microsoft admin consent for Okta in following cases:

  • If you add a new Office 365 app chiclet to the Okta end-user dashboard and that app requires OAuth.
  • If the URL for an Office 365 app chiclet changes.

Note

Only a Global Administrator of the Microsoft tenant can grant these permissions.

  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, click Re-authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Related topics

Okta Enhancements with Microsoft Office 365 Integration

Enable a Microsoft Office 365 Chiclet

Office 365 Silent Activation

Top