Prerequisites for integrating Hybrid Azure AD join

To integrate Hybrid Azure AD Join with Okta, you must fulfill the following prerequisites. These prerequisites are divided into two categories:

  1. Prerequisites in Microsoft environment

  2. Prerequisites in Okta environment

Prerequisites in Microsoft environment

You need the following Microsoft software and licenses:

Windows Server 2016 or later

One or more servers within the same domain that collectively host all of the following functions:

  • It’s Domain Controller.
  • It has Active Directory.
  • It runs DNS and this DNS server or service is accessible through the internet. This allows the off-prem client machine to resolve your local domain in order to register the client there.
  • It has Intune Connector for Active Directory. Intune Connector is a local service that is installed from Azure to facilitate creation of Hybrid-joined machines joining from Azure on the local domain.
  • It has Group Policy Objects (GPOs). A GPO is a component of Group Policy that can be used as a resource in Microsoft systems to control user accounts and user activity. We will use GPOs to set registry entries on our On-prem Windows 10 clients, which will allow AAD Connect to sync them to Azure AD.

Azure Active Directory (AAD)

  • AAD tenant with Premium Plan 1 or 2
  • AAD Connect: AAD Connect is a sync agent that bridges the gap between on-premises Active Directory and Azure AD. It’s responsible for syncing computer objects between the environments.

Microsoft 365 domain and licenses

  • Registered Microsoft 365 domain name to be used with federation
  • Microsoft 365 license with AAD and MDM services: Microsoft license that provides access to Azure AD, Windows Autopilot, and Mobile Device Management (MDM) solutions such as Microsoft Intune. Some of such licenses are:
    • Microsoft 365 Business
    • Microsoft 365 F3
    • Microsoft 365 E3 or E5
    • Microsoft 365 A3 or A5

    • Enterprise Mobility & Security E3 or E5

Suggested add-ons

Windows Autopilot

Windows Autopilot by Microsoft allows you to set up, reset, recover, and repurpose Windows devices without touching the device. It involves minimal efforts from end users and IT administrators. See Windows Autopilot documentation (Microsoft docs).

Mobile Device Management (MDM) solution

You can choose from several MDM solutions. Here are a few commonly used MDM solutions:

  • Microsoft Intune: Microsoft Intune is a cloud-based service for mobile device management (MDM) and mobile application management (MAM). You can integrate Intune with Azure Active Directory (Azure AD) to control who can access your Microsoft resources, and to what extent. See Microsoft Intune fundamentals (Microsoft docs).
  • VMware Workspace ONE (including Airwatch): VMware Workspace ONE is a digital workspace platform that allows you to securely deliver and manage apps on remote devices. See VMware Workspace ONE Documentation (VMware docs).

Windows 10 Client

Windows 10 Client version 1803 or above. For testing purposes, we recommend using a non-domain joined device.

Prerequisites in Okta environment


Contact support to enable this feature flag in the Okta org you’re integrating. This feature provides the MEX endpoint that will be called first by the device, not enabling this flag will result in getting no PRT for the device.

Integrate On-Premise Active Directory with Okta

Refer toActive Directory integration guide to configure the Active Directory Agent and import your users and groups. For new integrations, ensure that the appropriate users and groups are now imported and confirmed within Okta.

Integrate Azure AD tenant with Okta

Use the Microsoft Office 365 app in Okta to integrate your Azure AD tenant with Okta. See Typical workflow for deploying Microsoft Office 365 in Okta.

Use the following options while integrating:

  • While configuring single sign-on, choose WS-Federation (automatic or manual) method.

  • If you’re using Okta for provisioning, set the Provisioning Type to either Licenses/Role Management Only or Profile Sync. The other options - User Sync and Universal Sync - aren’t compatible with Azure AD Connect, which is necessary for a Hybrid setup.

  • While configuring profile mapping during provisioning, set the Application Username format field to match the username your users will use to sign into their devices. This is usually the Azure AD User Principal Name.

Next steps

Configure Office 365 sign-on rules to allow on-prem and cloud access