Provide Microsoft admin consent for Okta

Provide consent for Okta to access users and data in your Microsoft tenant. This consent allows Okta to access the Microsoft Graph API on your behalf and use the information provided by Office 365.

Before you begin

Ensure you have the global administrator permissions in the Microsoft tenant.

Which permissions Okta requires and why

  • Provisioning permissions is required to provision or deprovision users from Office 365
  • SSO permission is required to authenticate and authorize users into Office 365 apps that use OAuth-based authentication. Some of these apps are Yammer, Dynamics CRM, Teams, and Forms.
  • You need to provide admin consent either when configuring provisioning or SSO for the Office 365 app. In both cases, Okta requires the following permissions in your Microsoft tenant:
    PermissionAllows Okta to

    User.ReadWrite.All

    		create, read, update, and delete users.

    Group.ReadWrite.All

    		create, read, update, and delete groups.

    GroupMember.ReadWrite.All

    		add or remove members in a group.

    Organization.Read.All

    		list acquired licenses and remaining seats in a tenant.

    Application.Read.All

    		 list the app registrations and service principals in a tenant.

    RoleManagement.ReadWrite.Directory*

    		assign directory roles to users, groups, and service principals.

    Directory.Read.All*

    read directory data.

    * If provisioning isn't used, you can revoke the Directory.Read.All and RoleManagement.ReadWrite.Directory permissions after SSO integration.

Provide Microsoft admin consent for Okta

You can provide admin consent in two ways:

Provide Microsoft admin consent for provisioning

For provisioning to continue functioning from Okta to Office 365, an Office 365 Service Principal Account with persistent global administrator permissions must be associated with each Office 365 app in Okta.

If you're enabling provisioning for the Office 365 app for the first time, follow these steps:

  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365ProvisioningIntegration.
    2. Select the Enable API integration checkbox.
    3. Enter admin Username and Password.

    4. Click Authenticate with Microsoft Office 365.

      You're redirected to the Microsoft account log in page.

  2. In Microsoft, complete the following:
    1. Log in to Microsoft as a global administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. Save the settings in the Okta Admin Console.

Re-authenticate Microsoft admin consent for provisioning

If your org enabled provisioning to Microsoft before December 2021, you must grant admin consent before you can modify any existing provisioning settings for Office 365. This is true even if you previously granted admin consent, because the permissions that Okta requests have changed.

If you've already enabled provisioning for the Office 365 app and need to re-authenticate your consent, follow these steps:

  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365ProvisioningIntegrationEdit.

    2. Click Re-authenticate with Microsoft Office 365.

      You're redirected to the Microsoft account log in page.

  2. In Microsoft, complete the following:
    1. Log in to Microsoft as a global administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. Save the settings in the Okta Admin Console.

Provide Microsoft admin consent for SSO

  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365Sign OnEdit.
    2. In the API Credentials section, check the box for Allow administrator to consent for Advanced API access.

    3. Click Authenticate with Microsoft Office 365.

      You're redirected to the Microsoft account log in page.

  2. In Microsoft, complete the following:
    1. Log in to Microsoft as a global administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. Save the settings in the Okta Admin Console.

Re-authenticate Microsoft admin consent for SSO

You need to re-authenticate the existing Microsoft admin consent for Okta in the following cases:

  • If you add a new Office 365 app to the Okta End-User Dashboard and that app requires OAuth.
  • If the URL for an Office 365 app changes.
  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365Sign OnEdit.

    2. In the API Credentials section, click Re-authenticate with Microsoft Office 365.

      You're redirected to the Microsoft account log in page.

  2. In Microsoft , complete the following:
    1. Log in to Microsoft as a global administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Microsoft Graph Client page.
  3. Save the settings in the Okta Admin Console.

Related topics