Map Azure Active Directory attributes to Okta attributes

To use Azure Active Directory for user authentication, you need to map Azure Active Directory user attributes to Okta attributes.

Before you begin

Caution

  • If you are using UPN for both the login and email attributes, you must map it to both attributes.

  • Creating a new user through JIT may fail if any of the required attributes is empty or incorrectly mapped.

Start this procedure

This procedure involves the following tasks:

  1. Disable attribute mappings from Azure AD to Okta

  2. Add custom attributes

  3. Map Azure AD attributes to Okta

Disable attribute mappings from Azure AD to Okta

  1. In the Admin Console, go to Directory > Profile Editor.
  2. In the Search field, enter AAD or the name you assigned to Azure Active Directory when you added it as an identity provider (IdP).
  3. Click Profile next to the directory. Profile Editor opens.
  4. In Profile Editor, configure the user mappings:
    1. Click Mappings and select Configure User mappings.
    2. Select the <AAD Application Name> to Okta User tab, and in the second drop down for each attribute, select Do not map for all of the attributes except the login attribute.
    3. Click Save Mappings and Apply updates now.
  5. Repeat step 4 for any additional custom user mappings that exist for your org.

Add custom attributes

  1. In Profile Editor> FILTERS, select Custom.
  2. Delete these attributes: First Name, Last Name, and Email.
    Note

    We delete these attributes because their Variable Name and External Name fields aren't editable. In the next step, we'll add custom attributes, where you can edit these fields.

  3. Click the Add Attribute button. The Add Attribute window opens.
  4. To create the Email attribute, complete these fields:

    Field Value
    Display name Email or any other name you want to assign to this email.
    Variable name email

    This name is used to refer this attribute in profile mappings and expressions.

    External name The claim you want to map to this attribute. For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  5. ClickSave and Add Another to save this attribute and add another.
  6. Click Add Attribute and complete these fields:
    • Display name: Enter Email.
    • Variable name: Enter email.
    • External name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
  7. Click Save and Add Another and complete these fields:
    • Display name: Enter First Name.
    • Variable name: Enter firstName.
    • External name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname.
  8. Click Save and Add Another and complete these fields:
    • Display name: Enter Last Name.
    • Variable name: Enter lastName.
    • External name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname.
  9. Click Save and Add Another and complete these fields:
    • Display name: Enter UPN.
    • Variable name: Enter upn
    • External name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
  10. Click Save.

Map Azure AD attributes to Okta

  1. Click Mappings and select Configure User mappings.
  2. Select the <AAD Application Name> to Okta User tab.
  3. Map the attributes you created to the Okta User Profile:
    1. Select the email attribute for the Okta login and email attributes.
    2. Select firstName and lastName for the Okta firstName and lastName attributes respectively.
    3. Optional. Select upn for the nameidentifier attribute.
  4. Click Save Mappings and Apply updates now.

Next steps

Test the Azure Active Directory integration