Provision Users in Office 365

Using Okta

There are four methods by which Okta can provision usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. in Office 365:

  1. Licenses/Roles Management Only

    Licenses/Roles Management Only has been built to work alongside Microsoft’s Azure AD Connect infrastructure, and is the only provisioning type that can be used in conjunction with AADConnect Sync. This functionality allows you to leverage Okta’s advanced Roles and License functionality in order to assign specific licenses to users automatically, depending on attributes or group membership within Okta. The only attributes available with this type of provisioning are licenses and roles. If you select this provisioning type, the only provisioning features that are available are Update User Attributes and Deactivate Users.

  2. Profile Sync

    Okta creates “in cloud” users and synchronizes Username, First Name, Last Name, Email, and Display Name. The advantage of this provisioning method is that these types of users can be edited directly in the Office 365 portal, whereas all other provisioning types will appear as ‘Synced with Active Directory’ in the Office 365 portal and will require changes to happen at the location the account is mastered (Okta, AD or another Directory or Service).

  3. User Sync

    This provisioning type leverages Universal Directory. When you select this, Okta automatically sets up “Active Directory synchronization” for you in Office 365. This allows you to create users with 16 more attributes. When these users are created, they are marked as “Synced with Active Directory”. This means they cannot be edited in the Office 365 portal, instead Office 365 will advise you to edit them in Active Directory. However, in this instance, Okta is taking on the role of Active Directory.

    This means that:
    1. If your users did originate in Active Directory, then Office 365 is accurate. For changes to the users attributes, you need to edit in the relevant user account in Active Directory. Okta will import that change and update Office 365.
    2. If the user was created directly in Okta, then you can edit the user directly in Okta and the user in Office 365 will be updated. Note that with Universal Directory, you can make some of these attributes editable by the end user via the Okta end user portal. The section below goes into detail of using Universal Directory.

    3. You can actually have users from Active Directory and those that are only in Okta being provisioned to the same Office 365 user domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).. This is a very powerful feature and allows you a wide range of ways to manage Office 365 users.

    If you choose the User Sync option, see the later section about using Universal Directory for attribute mapping and transformations. But first, we need to finish describing how to enable provisioning with Okta.

  4. Universal Sync (Enhanced Provisioning)

    Similar to the User Sync provisioning features detailed above, this provisioning mode sets up Active Directory Synchronization and synchronizes additional objects including:

    1. Security GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.
    2. Distribution Lists
    3. Contacts
    4. Resource Mailboxes

    In addition to the additional object types, the number of attributes synchronized has now been extended to 142 total attributes, allowing for rich user profiles and a higher fidelity synchronization. This method of synchronization enables proprietary attributes such as those used by Exchange and Skype for Business to be synchronized from on-premises to Office 365 without the need for additional synchronization technologies such as Azure AD Connect.

    Note: The object types above will be synchronized directly from Active Directory to Office 365 and will not be represented in Okta’s universal directory. Changes to these objects should be made in AD directly.

For more information on types of provisioning, see Okta Enhancements with Microsoft Office 365 Integration.