Make Azure Active Directory an identity provider

To delegate authentication to Azure Active Directory, you need to configure it as an identity provider (IdP) in Okta.

Before you begin

Start this procedure

This procedure involves the following tasks:

  1. Add Azure AD as Identity Provider

  2. Update Okta app in Microsoft Azure portal

Add Azure AD as Identity Provider

  1. In the Admin Console, go to Security > Identity Providers.

  2. Click Add Identity Provider and select Add SAML 2.0 IdP.
  3. Enter AAD or your preferred name for the identity provider in the Name field.
  4. Complete the following fields in the AUTHENTICATION SETTINGS area:

    Field Value
    IdP Username




    Select the Only allow usernames that match defined RegEx pattern check box and enter a regular expression pattern. This pattern will filter IdP user names and prevent the IdP from authenticating unintended or privileged users.

    Match against

    Select an Okta user attribute from the drop down list. For example, Okta Username.

    This Okta user attribute will be matched against the IdP username to find existing users.

    Account Link Policy

    Select Automatic to automatically link incoming IdP users to existing users in Okta.

    Select Disabled if you want to manually link users or don't want to link users.

    Auto-link Restrictions


    You can restrict automatic account-linking to certain specified groups.

    Select Specific Groups from the drop down list and enter group names. The IdP user will be automatically linked only if the matching user belongs to any of the specified groups.

    If no match is found Optional. Select Create new user (JIT) to create a new account for an unmatched user.

  5. Complete the following fields in the JIT SETTINGS area:

    Field Value
    Profile Source

    Select the Update attributes for existing users check box.

    Reactivation Settings


    Select the Reactivate users who are deactivated in Okta and Unsuspend users who are suspended in Okta check boxes.

    Group Assignments


    Select an option to define the behavior of group assignments during provisioning.

    You can assign the user to specific groups, add them to missing groups based on SAML attribute name and group filter, or do a full sync of groups.

  6. Complete the following fields in the SAML PROTOCOL SETTINGS area:

    Field Value
    IdP Issuer URI

    Enter the value from the Azure AD Azure AD Identifier field you recorded previously.

    IdP Single Sign-On URL

    Enter the value from the Azure AD Login URL field you recorded previously.

    IdP Signature Certificate Click Browse files, browse to the location of the identity provider PEM or DER key certificate you downloaded previously, and click Open.

  7. Click Add Identity Provider.
  8. On the Identity Providers page, click the expand () icon for the AAD identity provider and record the values in these fields:
    • Assertion Consumer Service URL
    • Audience URI

Update Okta app in Microsoft Azure portal

  1. Sign in to the Microsoft Azure portal, click the portal menu icon in the top left, and select Azure Active Directory.
  2. Click Enterprise applications in the left menu and select Okta in the applications list.
  3. Click Single sign-on in the left menu and click SAML.
  4. Click Edit in the Basic SAML Configuration area and complete the following fields:

    Field Value
    Identifier (Entity ID) Enter the Audience URI value you recorded in step 8.
    Reply URL (Assertion Consumer Service URL) Enter the Assertion Consumer Service URL value you recorded in step 8.

  5. Click Save and Close.

Next steps

Map Azure Active Directory attributes to Okta attributes