Provision users to Office 365

You can create, update, and deprovision users in Office 365 from your Okta orgThe Okta container that represents a real-world organization.. You can import users from different source directories into Okta and provision them in Office 365 using profile mappings.


Bring users in Okta

You can import users from a directory such as Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) or an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. such as Salesforce. You can also create users directly in Okta. See the following for more information.


1. Decide type of provisioning

Depending on your provisioning needs, you can select one of the following provisioning types.

  Operations supported ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. options
Licenses and Roles Management Only Profile Sync User Sync Universal Sync
Provision Users  
Push licenses and roles Y Y Y Y
Create user N Y Y Y
Deactivate user Y Y Y Y
Edit user directly from within Office 365 Y(a) Y N(b) N(b)
Sync profile attributes(c)  
Sync basic user profile attributes N Y Y Y
Sync limited number of extended attributes in addition to the basic attributes N N Y Y
Sync all extended attributes N N N Y
Sync AD groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and resources(d)  
Sync security groups N N N Y
Sync contacts N N N Y
Sync distribution lists N N N Y
Sync resource mailboxes N N N Y
  1. Not available with Azure Active Directory Sync or Directory Synchronization.
  2. Users can no longer be edited directly from within Office 365. Changes must occur at the source of truth and be synced across.
  3. See Supported user profile attributes for Office 365 provisioning
  4. To sync groups from other directory services and apps to Office 365, configure Group Push. You must first configure provisioning and user assignments before pushing groups to Office 365. See Using Group Push.


  • User Sync and Universal Sync cannot be used with DirSync, Azure Active Directory Sync, or Azure Active Directory Connect.
  • Once you select User Sync or Universal Sync, you can not modify your selection back to Profile Sync.


2. Set up Okta → Office 365 provisioning

You can automate provisioning tasks by enabling API integration and configuring settings for different user life cycle stages.

2.1. Enable API integration

Office 365 requires a token to authenticate against the Microsoft API. This allows Okta to implement provisioning in Office 365.

  1. Go to Office 365 > Provisioning > API Integration > Configure API Integration.
  2. Check Enable API Integration.
  3. Enter your Office 365 Global Administrator credentials.
  4. To import groups now, check Import Groups.

    You can import groups later after finishing provisioning. See Skip importing groups during Office 365 user provisioning.

  5. Click Test API Credentials.
  6. Save the credentials once they are verified successfully.

2.2. Select provisioning type and settings

You can select provisioning and deprovisioning settings depending on the provisioning type you select.

  1. Go to Office 365 > Provisioning > To App > Edit.
  2. Select Office 365 Provisioning Type. See Provisioning options for Office 365.

    For Universal Sync only: Check Send full profile, contacts, and conference rooms from these AD instances if you want to sync AD groups and resources.

  3. Enable or Disable other provisioning settings. See Enhanced provisioning and deprovisioning for Office 365.
  4. Click Save.

3. Map profile attributes Okta → Office 365

Depending on where your users are mastered, the username format can vary. For users to successfully sign into Office 365, their username for Office 365 must be in an email address format for the domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). you are federating (username@yourfederated.domain).

Map username as-is

If your users already have their usernames in an email address format for the domain you are federating (username@yourfederated.domain) format, you can map the email as-is.

  1. Go to Office 365 > Sign on > Edit.
  2. In Credentials Details > Application username format, select Email.
  3. Click Save.

Map custom username

If your users are mastered in different directories or apps, their username format may vary. You can use Okta expression language to customize the username that will be passed on to Office 365.

  1. Go to Office 365 > Sign on > Edit.
  2. In Credentials Details > Application username format, select Custom.
  3. Enter this expression in the provided text box.

    String.substringBefore(, "@") + "@yourfederated.domain"

  4. Replace yourfederated.domain with the domain you are federating.
  5. Enter an Okta user in the Preview box to check the result of the mapping.
  6. The resulting username should match the Office 365 username for the user.
  7. Click Save.

Map email address

If your users’ email addresses do not reside in the domain you are federating, you can use Okta expression language to customize the email address that will be passed on to Office 365.


Provisioning type should be selected to User Sync or Universal Sync. See Provisioning options for Office 365.

  1. Go to Directory > Profile Editor > Microsoft Office 365 Mappings > Okta to Microsoft Office 365.
  2. In field, enter the expression:

    String.substringBefore(, "@") + "@yourfederated.domain"

  3. Replace yourfederated.domain with the domain you are federating.
  4. Enter an Okta user in the Preview box to check the result of the mapping.
  5. The resultant email address should match the Office 365 email address for the user.
  6. Exit Preview and save mappings.
  7. Click Apply Updates Now.

4. Test provisioning

Ensure you have correctly configured provisioning by assigning Office 365 to test users in Okta and verifying they appear in your Microsoft tenant.


Create Users option in Provisioning must be checked..


In Okta,

  1. Open Assignment tab of the Microsoft Office 365 app.
  2. Click Assign.
  3. Assign appropriate Office 365 licenses to test users.
  4. Click Done.

In Microsoft AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Center,

  1. Open the list of Active Users.
  2. Ensure all test users appear in the list with appropriate licenses.

In Okta,

  1. Log into Okta as a test user.
  2. Ensure all Office 365 apps appear on the user dashboard.


If you have selected User Sync or Universal Sync provisioning type, all users irrespective of their profile mastery, appear as Synced with Active Directory in the Office 365 tenant. However, the user is still mastered at the source directory.


Previous: Add Office 365 to Okta

Next: Configure Single Sign on for Office 365