Provide Microsoft admin consent for Okta

Microsoft requires you as an admin to provide consent to allow Okta to access users and data in your Microsoft tenant. By granting consent, you allow Okta to access the Microsoft Graph API on your behalf and use the information provided by Microsoft Office 365.

Before you begin

  • Ensure you have the Global Administrator permissions in the Microsoft tenant.

Which permissions Okta requires and why

Okta requires these permissions for the following:

  • Single sign on: to authenticate and authorize users into Office 365 apps that use OAuth-based authentication. Some of these apps are Yammer, Dynamics CRM, Teams, and Forms.

Okta requires the following permissions in your Microsoft tenant:

Permission Allows Okta to

User.ReadWrite.All

create, read, update, and delete users.

Group.ReadWrite.All

create, read, update, and delete groups.

GroupMember.ReadWrite.All

add or remove members in a group.

Organization.Read.All

list acquired licenses and remaining seats in a tenant.

Application.Read.All

list the application registrations and service principals in a tenant.

RoleManagement.ReadWrite.Directory

assign directory roles to users, groups, and service principals.

Provide Microsoft admin consent for Okta

Provide Microsoft admin consent for single sign on

  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, check the box for Allow administrator to consent for Advanced API access.
    3. Click Authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Re-authenticate Microsoft admin consent for single sign on

You need to re-authenticate the existing Microsoft admin consent for Okta in following cases:

  • If you add a new Office 365 app to the Okta end-user dashboard and that app requires OAuth.
  • If the URL for an Office 365 app changes.
  1. In Okta,
    1. Go to Applications > Office 365 > Sign On > Edit.
    2. In the API Credentials section, click Re-authenticate with Microsoft Office 365.

      You are redirected to the Microsoft account log in page.

  2. On Microsoft,
    1. Log into Microsoft as a Global Administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. In Okta,
    1. Save the settings.

Related topics