Provide Microsoft admin consent for Okta

Microsoft requires you as an admin to provide consent to allow Okta to access users and data in your Microsoft tenant. By granting consent, you allow Okta to access the Microsoft Graph API on your behalf and use the information provided by Microsoft Office 365.

Before you begin

Ensure you have the Global Administrator permissions in the Microsoft tenant.

Which permissions Okta requires and why

Okta requires these permissions for the following:

  • Provisioning: to provision or deprovision users from Office 365.
  • Single sign on: to authenticate and authorize users into Office 365 apps that use OAuth-based authentication. Some of these apps are Yammer, Dynamics CRM, Teams, and Forms.
  • You need to provide admin consent either when configuring provisioning or when configuring single sign on for the Office 365 app. In both cases, Okta requires the following permissions in your Microsoft tenant:
Permission Allows Okta to

User.ReadWrite.All

create, read, update, and delete users.

Group.ReadWrite.All

create, read, update, and delete groups.

GroupMember.ReadWrite.All

add or remove members in a group.

Organization.Read.All

list acquired licenses and remaining seats in a tenant.

Application.Read.All

list the application registrations and service principals in a tenant.

RoleManagement.ReadWrite.Directory

assign directory roles to users, groups, and service principals.

Provide Microsoft admin consent for Okta

You can provide admin consent in two ways:

Provide Microsoft admin consent for provisioning

For provisioning to continue functioning from Okta to Office 365, an Office 365 Service Principal Account with persistent Global Admin permissions must be associated with each Office 365 application in Okta.

If you're enabling provisioning for the Office 365 app for the first time, follow these steps:

  1. In Okta,
    1. Go to Applications > Office 365 > Provisioning > Integration.
    2. Select the Enable API integration check box.
    3. Enter Admin Username and Admin Password.
    4. Click Authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Re-authenticate Microsoft admin consent for provisioning

If your org enabled provisioning to Microsoft prior to December 2021, you must grant admin consent before you can modify any existing Provisioning settings for Office 365. This is true even if you previously granted admin consent, because the permissions that Okta requests have changed.

If you've already enabled provisioning for the Office 365 app and need to re-authenticate your consent, follow these steps:

  1. In Okta,
    1. Go to Applications > Office 365 > Provisioning > Integration > Edit.
    2. Click Re-authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Provide Microsoft admin consent for single sign on

  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, check the box for Allow administrator to consent for Advanced API access.
    3. Click Authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Re-authenticate Microsoft admin consent for single sign on

You need to re-authenticate the existing Microsoft admin consent for Okta in following cases:

  • If you add a new Office 365 app to the Okta end-user dashboard and that app requires OAuth.
  • If the URL for an Office 365 app changes.
  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, click Re-authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Related topics