Prerequisites for integrating Hybrid Azure AD join
To integrate Hybrid Azure AD Join with Okta, you must fulfill the following prerequisites. These prerequisites are divided into two categories:
Prerequisites in the Microsoft environment
Windows Server 2016 or later.
One or more servers within the same domain that collectively host all of the following functions:
- The Domain Controller.
- Active Directory.
- Intune Connector for Active Directory. Intune Connector is a local service that is installed from Azure to facilitate creation of Hybrid-joined machines joining from Azure on the local domain.
- DNS server or service that is accessible through the internet. This allows the off-prem client machine to resolve your local domain in order to register the client there.
- Group Policy Objects (GPOs). A GPO is a component of Group Policy that can be used as a resource in Microsoft systems to control user accounts and user activity. Okta uses GPOs to set registry entries on on-prem Windows 10 clients, which allows AAD Connect to sync them to Azure AD.
Agentless or Integrated Windows Authentication (IWA) is required for the Kerberos endpoints.
Azure Active Directory (AAD)
- AAD tenant with Premium Plan 1 or 2
- AAD Connect: AAD Connect is a sync agent that bridges the gap between on-premises Active Directory and Azure AD. It’s responsible for syncing computer objects between the environments.
Microsoft 365 domain and licenses
- Registered Microsoft 365 domain name to be used with federation
- Microsoft 365 license with AAD and MDM services: Microsoft license that provides access to Azure AD, Windows Autopilot, and Mobile Device Management (MDM) solutions such as Microsoft Intune. Some of such licenses are:
- Microsoft 365 Business
- Microsoft 365 F3
- Microsoft 365 E3 or E5
Microsoft 365 A3 or A5
- Enterprise Mobility & Security E3 or E5
Windows Autopilot by Microsoft allows you to set up, reset, recover, and repurpose Windows devices without touching the device. It involves minimal efforts from end users and IT administrators. See Windows Autopilot documentation (Microsoft docs).
- Mobile Device Management (MDM) solution
You can choose from several MDM solutions. Here are a few commonly used MDM solutions:
- Microsoft Intune: Microsoft Intune is a cloud-based service for mobile device management (MDM) and mobile application management (MAM). You can integrate Intune with Azure Active Directory (Azure AD) to control who can access your Microsoft resources, and to what extent. See Microsoft Intune fundamentals (Microsoft docs).
- VMware Workspace ONE (including Airwatch): VMware Workspace ONE is a digital workspace platform that allows you to securely deliver and manage apps on remote devices. See VMware Workspace ONE Documentation (VMware docs).
Windows 10 Client
Windows 10 Client version 1803 or above. For testing purposes, we recommend using a non-domain joined device.
Prerequisites in the Okta environment
Integrate On-Premise Active Directory with Okta.
Refer to the Active Directory integration guide to configure the AD Agent and import your users and groups. For new integrations, ensure that the appropriate users and groups are now imported and confirmed within Okta.
Integrate Azure AD tenant with Okta.
Use the Microsoft Office 365 app in Okta to integrate your Azure AD tenant with Okta. See Typical workflow for deploying Microsoft Office 365 in Okta.
Use the following options while integrating:
While configuring single sign-on, choose WS-Federation (automatic or manual) method.
If you’re using Okta for provisioning, set the Provisioning Type to either Licenses/Role Management Only or Profile Sync. The other options - User Sync and Universal Sync - aren’t compatible with Azure AD Connect, which is necessary for a Hybrid setup.
While configuring profile mapping during provisioning, set the Application Username format field to match the username your users will use to sign into their devices. This is usually the Azure AD User Principal Name.
Configure Office 365 sign-on rules to allow on-prem and cloud access