Switch on Office 365 Provisioning
This section will walk you through editing the Office 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to include managing the provisioning.
- Log in to your Okta orgThe Okta container that represents a real-world organization. and navigate to Applications.
- Click the Office 365 app you previously created.
Switch to the Provisioning tab and click Configure API Integration. The checkbox for Enable API Integration appears.
- Select the checkbox and click Save. You are prompted to provide adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. credentials.
- Provide the admin username and password for your Office 365 tenant.
- Click Test API Credentials to verify the connectivity from Okta to Office 365.
- Select the Office 365 Provisioning Type. Refer to Okta Enhancements with Microsoft Office 365 Integration to determine best provisioning type for you. Note that switching from Profile Sync to User Sync or Universal Sync means that user accounts mastered in Okta or AD will only be modified in the system of record (and not in Office 365). These accounts will be represented in the Office 365 portal as usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. that are Synced from Active Directory.
- Decide which provisioning feature to enable:
User Import – It is possible to have users imported from Office 365 into Okta. These users can be linked to existing Okta accounts through either their email address or a custom expression. Only users with an Office 365 license are imported. Note that once users are imported from Office 365, they become Okta users where you can modify their attributes, unless of course they have been associated with an existing Active Directory account. While it is possible to schedule imports, an administrator must still manually activate user accounts. The ability to import users is mostly used when you have an existing Office 365 tenant and you need to do a one-time import of users into Okta. Typically, after this import, Okta owns the provisioning of new users into your Office 365 tenant. Okta automatically assigns any imported users to the Office 365 application itself so they are able to SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. back into Office 365 through Okta. Be aware that if the imported user is from a domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). that is not federated or the yourtenant.onmicrosoft.com domain, it is not possible to federate sign on BUT you can enable the Okta app for SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. authentication. If you deactivate the user in Office 365 and do another import, Okta will un-assign the application from the user.
- Create Users – Using Okta to provision accounts to Office 365 is as simple as enabling the checkbox. When the application is assigned to a user, Okta will create a new account for them in Office 365. The new account will use the username that is specified in the SSO settings page, or if you are using the User Sync provisioning type, you can specify the username via Universal Directory. An in- depth guide is later in this document. New users can also be assigned an Office 365 license when Okta provisions the account and you can specify if the user has an Office 365 administrative role. More information about what happens is discussed later in the section about application assignment.
- Update User Attributes – When you enable this feature, any changes to the user profile are automatically updated in Office 365. Changes in Office 365 will be over written. This is useful when another external source to Okta (Workday HR or Active Directory on-premises) makes a change, it can be propagated to Office 365.
- Deactivate Users – Okta automatically creates Office 365 accounts when a user is assigned to the Okta Office 365 app. If you un-assign the user from the app, Okta will switch the Office 365 account’s sign in status from Allowed to Blocked. Note: Unlicensing a user in Office 365 will result in all associated data being deleted after 30 days. This will include (but is not limited to) all contents of the users mailbox and OneDrive folders as well as settings and customizations. As part of deactivation, Okta will maintain the license on the user so administrative tasks such as archiving or data sharing can be completed.
Sync Okta Password – If you are not federating accounts to Office 365, you can have Okta manage the password. If the user changes their password in Okta, this password is then updated in Office 365 automatically.
- At the point of saving your configuration, Okta communicates to Office 365 and will synchronize any groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in Office 365 into your Okta org. Those groups will also have membership of Office 365 users that exist and are active in Okta.