Okta - Office 365 Deployment Guide
About this Guide
This Deployment Guide contains a significant amount of information due to the complexity often involved in migrating from existing on-premises Office services (Exchange, SharePoint, Skype for Business) to the Microsoft Office 365 cloud platform. We suggest you first scan through the document to understand the overall tasks, then read in detail the areas that apply to your deployment.
Microsoft Office 365 Overview
Office 365 is Microsoft’s cloud offering targeted at organizations using services such as Office, Skype for Business, Yammer, Exchange, and SharePoint. Office 365 aims to reduce the on-premises footprint previously required to run these services. Microsoft is recreating these services in the cloud building upon Azure services including Azure Active Directory (AAD), a cloud-based user and group directory that provides authentication, and user/group/device management services for Office 365.
For end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control., sending email, creating documents, and chatting with co-workers in Office 365 is almost identical to using the same services in your on-premises data center. The difference in Office 365 is that the need for IT to manage a large farm of servers for Exchange, Skype for Business, and SharePoint is eliminated. Traditional applications such as Word and Excel are also being rewritten to run entirely in your browser using Azure cloud.
Deploying Office 365 using Okta
Okta is designed to minimize the on-premises footprint while maximizing the advantages of cloud infrastructure. Utilizing Okta for Office 365 has allowed organizations around the world to solve complex deployments that would take months with legacy Microsoft technology. In many cases, Okta can replace ADFS and Azure AD Connect (formerly DirSync) for directory synchronization. It achieves this using a lightweight agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. that can be installed on existing Windows servers in your domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).. This same agent is used for synchronizing data from AD to Office 365 as well as delegating authentication back to AD as part of a federated single sign-on. Okta’s directory integration agents can also read and write user and group data from AD and other LDAP servers.
For more information on AD integration with Okta, see Install and configure the Okta Active Directory (AD) agent
Okta’s Integration for Office 365 offers:
- Certification by Microsoft – Okta is certified by Microsoft within the Azure AD Federation Compatibility List. This support applies to usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. both inside and outside corporate domains and is applicable to external devices.
- Reduced infrastructure for IT administrators – No dedicated servers are required for federation.
- Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. – Okta leverages Microsoft’s Integrated Windows Authentication (IWA) to seamlessly authenticate users to Okta who are already authenticated within their Windows domain.
- Active Directory integration –The Okta AD and IWA agents eliminate the need for complicated hardware load balancers or availability solutions. Simply install multiple Okta agents for a service that is always active and integrates seamlessly with Office 365.
- Delegated Authentication to Active Directory – Okta can delegate authentication to your AD domain controllers from Office 365 or any other cloud based application.
- Multi-Factor Authentication (MFA) – Okta’s built-in MFA solutions boost authentication security and access to Office 365 giving you a wide range of ways to increase the security of access to Office 365.
- Web-based password reset for AD – Okta allows users to reset their own passwords through the web-based Okta cloud service. This reset seamlessly updates their account in AD.
- End-to-end automation for user account management – Add a new employee in AD and within minutes they are fully enabled to access Office 365 from both the web, desktop and mobile devices.
Step-by-step Instructions to Deploy Office 365 in Okta
- Supported Architectures for Office 365 Deployment
- Design Office 365 Deployment
- Configure Office 365 Domain
- Assign Office 365 to Users
- Integrate Office 365 App Using WS Federation
- Provision Users in Office 365
- Switch on Office 365 Provisioning
- Assign Office 365 Licenses and Roles
- Manage Office 365 Users Using Powershell
- Import Users from Existing Office 365 Tenant
- Import Groups from Active Directory to Office 365 through Okta
Office 365 is the evolution of a lot of on-premises services for email, document collaboration and file servers. Traditionally those on-premises services leveraged the tight integration of Windows desktops with Active Directory and their user accounts. Therefore, it is common for a customer to have users on Microsoft Windows operating systems that are part of a Microsoft Active Directory domain. By logging into a Windows desktop, the Active Directory services provide a desktop SSO experience. Cloud services were unable to communicate back to Active Directory to verify the Windows credentials of the logged in user.
Okta has a solution for this by implementing a simple web service inside your Active Directory environment. The SSO IWA Web App runs in Microsoft’s IIS server and is used to pick up the existing credentials of a user logged into either a Windows desktop or a domain joined OSX computer.
Another useful Okta feature is having a web-based point of access for resetting your password. When Okta is the identity provider for applications, users can change an existing or reset a forgotten password, saving time and reducing help desk requests.
By using more than just a username and password to authenticate a user, you are using multiple factors of authentication (MFA). Okta has pre-integrated a range of services to provide increased security through the use of multiple factors. You can see the list of currently supported MFAs options by accessing the Security tab, selecting Authentication and the clicking on the Multifactor tab. Here you can see a list of all currently supported MFA options. For some, there are extra tabs to the right for further configuration. Okta Sign On Policy allows you to enable MFA for signing into Okta, or only for signing in to a particular app such as Office 365.
You don’t have to apply MFA across all users logging into Okta. If you want, you can apply a sign on policy at the application level. This is useful if you don’t want to impact all of your users, only those accessing critical applications.