Okta Enhancements with Microsoft Office 365 Integration

The following details the latest enhancements to our Microsoft Office 365 (O365) integration.

User Provisioning

We provide four different types of user provisioning for Office 365: Licenses/Roles Management Only, Profile Sync, User Sync, and Universal Sync, all are described below.

Licenses / Roles Management Only

The only attributes available with this type of provisioning are licenses and roles. If you select this provisioning type, the only Provisioning Features that are available are Update User Attributes and Deactivate UsersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control..

Profile Sync

Profile Sync, our default provisioning, sends this subset of user attributes to Office 365: username, first name, last name, display name, and country code.

User Sync

With the introduction of extended provisioning with User Sync, admins can now choose to provision an enhanced user profile that contains many more attributes–an increase that allows for a much fuller experience of Office 365. These enhancements will help you transition from On-Premises Office, to cloud-based Office 365.

This feature is GA for all users.

Supported Attributes:

Username Country code
First name Country
Last name Department
Primary email Office
Display name Telephone
Middle name Mobile phone
Street address Fax number
City Title
State Manager
Zip Code Preferred Language
UsageLocation

Universal Sync

Admins can now provision an even more extended user profile as well as security groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and distribution groups and contacts. Note: Currently the only resource we sync is Conference Room.

Supported Attributes:

Alias

Assistant

AuthOrig

City

Country

CommonName

Company

CountryCode

CountryLetterCode

Description

Department

DisplayName

DLMemRejectPerms

DLMemSubmitPerms

Email

ExtensionAttribute1

ExtensionAttribute2

ExtensionAttribute3

ExtensionAttribute4

ExtensionAttribute5

ExtensionAttribute6

ExtensionAttribute7

ExtensionAttribute8

ExtensionAttribute9

ExtensionAttribute10

ExtensionAttribute12

ExtensionAttribute13

ExtensionAttribute14

ExtensionAttribute15

FaxNumber

FirstName

HomePhone

Info

Initials

InternetEncoding

IPPhone

LastName

LastPasswordChangeTimestamp

LegacyExchangeDN

Manager

MiddleName

Mobile

MSDSHABSeniorityIndex

MSDSPhoneticDisplayName

MSExchArchiveGuid

MSExchArchiveName

MSExchAssistantName

MSExchAuditAdmin

MSExchAuditDelegate

MSExchAuditDelegateAdmin

MSExchAuditOwner

MSExchBlockedSendersHash

MSExchBypassAudit

MSExchDelegateListLink

MSExchElcExpirySuspensionEnd

MSExchElcExpirySuspensionStart

MSExchElcMailboxFlags

MSExchEnableModeration

MSExchExtensionCustomAttribute1

MSExchExtensionCustomAttribute2

MSExchExtensionCustomAttribute3

MSExchExtensionCustomAttribute4

 

MSExchExtensionCustomAttribute5

MSExchHideFromAddressLists

MSExchImmutableId

MSExchLitigationHoldDate

MSExchLitigationHoldOwner

MSExchMailboxGuid

MSExchMailboxAuditEnable

MSExchMailboxAuditLogAgeLimit

MSExchModeratedByLink

MSExchModerationFlags

MSExchRecipientDisplayType

MSExchRecipientTypeDetails

MSExchRemoteRecipientType

MSExchRequireAuthToSendTo

MSExchResourceCapacity

MSExchResourceDisplay

MSExchResourceMetadata

MSExchResourceSearchProperties

MSExchRetentionComment

MSExchRetentionUrl

MSExchSafeRecipientsHash

MSExchSafeSendersHash

MSExchSenderHintTranslations

MSExchTeamMailboxExpiration

MSExchTeamMailboxOwners

MSExchTeamMailboxSharePointLinkedBy

MSExchTeamMailboxSharePointUrl

UsageLocation

MSExchUserHoldPolicies

MSRtcSipApplicationOptions

MSRtcSipDeploymentLocator

MSRtcSipLine

MSRtcSipOwnerUrn

MSRtcSipPrimaryUserAddress

MSRtcSipUserEnabled

MSRtcSipOptionFlags

Office

OnPremiseSecurityIdentifier

OtherFacsimileTelephoneNumber

OtherHomePhone

OtherIPPhone

OtherMobile

OtherPager

OtherTelephone

Pager

PreferredLanguage

PostOfficeBox

ProxyAddresses

PublicDelegates

State

Street Address

TargetAddress

TelephoneAssistant

Telephone

Title

UnauthOrig

UserCertificate

UserSMIMECertificate

WwwHomepage

Zipcode

URL

Enabling Enhanced Provisioning

To enable enhanced provisioning, either User Sync or Universal Sync, do the following:

  1. Select Applications > Microsoft Office 365 > Provisioning.
  2. Under Provisioning Style, select User Sync or Universal Sync. This sends Okta's extended user profile to Office 365.
  3. Select the Save button.

Okta maps attributes over from the Okta user profile to the Office 365 user by default, but you should check the mappings and have the opportunity to make any changes.

To do so:

  1. Scroll to the bottom of the page and under Attribute Mappings, click the Edit Mappings button.
  2. The Microsoft Office 365 User Profile Mappings will open.
  3. Select the Okta to Microsoft Office 365 tab.
  4. View the attribute mappings and make edits if necessary.

    User-added image
  5. Once you are satisfied with the mappings, click the Save mappingsbutton.

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.

Enhanced Deprovisioning

Deactivating (or deprovisioning) an Office 365 user occurs when they are unassigned in Okta or their Okta account is deactivated. If the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. is reassigned in Okta, the user can be reassigned. Enhanced deprovisioning only works with provisioned Office 365 instances and provides a more granular offboarding workflow.

To access enhanced deprovisioning, do the following:

  1. From the Administrative Dashboard, hover over Applications drop-down menu.
  2. From the Applications page, scroll down to your instance of Office 365.
  3. From the Office 365 page, select the Provisioning tab.
  4. Scroll down to Deactivate Users and ensure that the Enable checkbox is checked.
  5. From the Microsoft Office 365 user status on deactivation drop-box, choose from the list of options.

Deprovisioning Status Options

The options under the Microsoft Office 365 user status on deactivation menu allow for granular deactivation and deprovisioning of end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control..

Note: An Okta recommended best practice is to always include a 3-day grace period for any action that deletes users. This can reduce the necessity to restore deleted users and their data in Office 365.

Block sign-in

Blocks the Office 365 end user from signing in, but retains license and user data on the user account.

Block sign-in and remove licenses

  • Blocks the Office 365 end user from signing in and immediately removes any licenses assigned to them.
  • This also triggers the deletion of stored data from the user’s personal folders within other Office 365 apps (e.g., OneDrive, Sharepoint, etc.). After 30 days, this data is irrecoverable.

Note: Once Microsoft has irrecoverably removed data, it is not possible to recover it.

Block sign-in and remove licenses after grace period

  • Blocks the Office 365 end user from signing in and waits for a specified number of days before removing the end-user licenses.The grace period allows admins time to temporarily retain the user data and licensing to backup information or allow others to gain access and review the account.
  • Once the grace period expires, data stored in personal folders within other Office 365 apps (e.g., OneDrive, Sharepoint, etc.) goes through the Microsoft deletion process. After 30 days, this data is irrecoverable.

Note: Once Microsoft has irrecoverably removed data, it is not possible to recover it.

  • If the user is reassigned to Office 365 before the grace period expires, the licenses are not removed and the user is restored back to their original state.

Centralized Microsoft Office 365 Licenses Control

Previously, Office 365 licensing allowed you to select a general license to assign during user provisioning, but you could not control which specific services were made available to the user. Admins now have the ability to specify which Office 365 services are enabled during user provisioning. For example, you could assign Microsoft E3 licenses with only Exchange and Lync enabled for your Sales team, while your Support team gets an E3 license with only SharePoint Online enabled.

To specify which services are made available to your selected user or group do the following:

  1. When assigning a user or a group to Office 365, you are now are presented with Licenses options as shown here:
Notes:
  • If you have selected a Provisioning Type of Licenses/Roles Management Only (see User Provisioning, above) these licenses and roles are the only attributes available.

  • Office 365 licenses that do not have a status set are not displayed.

User-added image

  1. Select the services you want the selected user or group to be licensed to use.
  2. Continue provisioning as before.

Mapping Custom Attributes

Admins can also map custom attributes not included in the default profile. For example, admins can now add a mapping for the ProxyAddresses attribute, part of the Early Access offering (above), even if they have not enabled the Early Access feature.

Using the ProxyAddresses attribute as an example, following are instructions for mapping custom attributes:

To utilize this attribute, you need to do the following:

  1. Add the ProxyAddresses Attribute to your Okta Active Directory Profile
  2. Add the ProxyAddresses Attribute to your Office 365 App Profile
  3. Map from Okta to Office 365 App

Add the ProxyAddresses Attribute to your Okta Active Directory Profile

  1. Select Directory > Profile Editor from the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Dashboard.
  2. Select the Profiles sub-tab, then expand the DIRECTORIES menu on the left and select your AD profile.
  3. Click the Add Attribute button.

    User-added image

The Pick Schema Attributes screen opens.

  1. Search for, then select the ProxyAddresses attribute, then click Save.

    User-added image

Add the ProxyAddresses Attribute to your Office 365 App Profile

  1. Select the Profiles sub-tab, then expand the APPS menu on the left and select your Office 365 User profile.
  2. Click Add Attribute.

    User-added image

The Pick Schema Attributes screen opens.

  1. Search for, then select the ProxyAddresses attribute, then click Save.

Map from Okta to Office 365

  1. ​With your Microsoft Office 365 User profile still selected, click Map Attributes.

    User-added image

The Microsoft Office 365 User Profile Mappings screen opens.
  1. Select the Okta to Microsoft Office 365 tab.
  2. Scroll down and enter the following expression for the ProxyAddresses attribute:

    hasDirectoryUser()?findDirectoryUser().proxyAddresses:null

  1. Click the Save Mappings button.
User-added image
  1. Select Apply updates now so that the new mappings apply to all users with this profile.

For general information about custom attributes, see Using Custom Attributes with Active Directory.

Top