Hybrid Azure AD Join integration FAQs
Okta offers four types of provisioning:
License and Role Management Only
Of these, only the License and Role Management Only and Profile Sync types are compatible with Azure AD Connect, which is required for Hybrid Azure AD Join. If you want to use Okta provisioning with Hybrid Azure AD, select your provisioning type to either License and Role Management Only or Profile Sync.
The Ctrl+Alt+Del option to reset the password will not work if the machine is not joined to a local domain, that is if it is only joined to Azure AD. In such cases, use an embedded browser session or passwordless flows.
It may happen if the Office 365 app sign on policy in Okta does not include legacy authentication endpoints or custom endpoints. In this case, the login to Okta is passed, but the app sign on policy for Office 365 is denied, which prevents the user from logging in. The exception to this is if the user had successfully logged in on the machine before the policies were changed or enabled.
Yes. Okta supports WS-Trust through the Legacy Endpoint settings in the Office 365 app sign on policy. WS-Trust is the protocol that allows the NTLogin credentials to be passed between Okta as a Federation platform and Active Directory or Azure Active Directory.
You can configure Office 365 app-level sign policy to allow a certain client. See Allow or deny custom clients in Office 365 sign on policy.
This is a known issue if you are using Okta MFA to satisfy Azure AD MFA. See Use Okta MFA to satisfy Azure AD MFA requirements for Office 365.
Your device may not be getting the PRT back during the registration attempt. This can happen if the OFFICE365_WINDOWS_TRANSPORT_SUPPORT feature flag in Okta is not enabled. This feature flag provides the MEX endpoint that will be called first by the device, not enabling this flag will result in getting no PRT for the device. Please contact Support to enable this feature in your org.