Provide Microsoft admin consent for Okta

Okta requires specific permissions to integrate with your Microsoft Office 365 tenant. These permissions allow Okta to access the Microsoft Graph API on your behalf to perform SSO and user provisioning.

Before you begin

Ensure that you have the global admin permissions in your Microsoft tenant.

Understanding Okta's permission needs

The required permissions are granted to one of two distinct Okta apps that are registered in your Microsoft tenant. The specific app used depends on the functionality that you enable:

Functionality enabled Okta app required

SAML-based SSO

Okta Graph API Client - Federation

OAuth-based SSO and provisioning

Okta Office 365 Graph Client - SSO

You're prompted to grant admin consent during the initial configuration of either SSO or provisioning within your Okta Office 365 app integration.

Permissions for basic SAML-based SSO

If you're only configuring SAML-based SSO (for apps such as Microsoft Word, PowerPoint, or Excel), the following minimal set of permissions is granted to the Okta Graph API Client - Federation app:

Permission Allows Okta to Notes

User.Read

Read users

Basic user identity required for authentication.

Domain.ReadWrite.All

Read and write domain data

Required for domain configuration and verification.

RoleManagement.ReadWrite.Directory

Assign directory roles to users, groups, and service principals.

Required during initial setup.

You can safely revoke this permission after you've successfully integrated SAML SSO.

The Directory.Read.All permission isn't required. If you previously granted this permission, you can revoke it.

Permissions for provisioning and OAuth-based SSO

If you're configuring provisioning or OAuth-based SSO (Microsoft Teams, Yammer, Power BI, and more), the comprehensive set of permissions is required and granted to the Okta Office 365 Graph Client - SSO app.

Both OAuth-based SSO and provisioning share the same permission set, which requires read/write access to the Microsoft Graph API to manage user tokens, licenses, and directory objects.

For OAuth-based configurations, you must grant permissions to both the Okta Graph API Client - Federation app and Okta Office 365 Graph Client - SSO app.

Permission Allows Okta to Notes

User.ReadWrite.All

Create, read, update, and delete users

Required for user lifecycle management.

Group.ReadWrite.All

Create, read, update, and delete groups

Required for group push and group management.

GroupMember.ReadWrite.All

Add or remove members in a group

Required for managing group membership.

Organization.Read.All

List acquired licenses and remaining seats in a tenant

Required to view license availability.

Application.Read.All

List the app registrations and service principals in a tenant

Required for integration configuration.

RoleManagement.ReadWrite.Directory

Assign directory roles to users, groups, and service principals

Required for managing administrative roles (for example, global admin).

If provisioning isn't used, you can safely revoke this permission after successful SSO integration.

LicenseAssignment.ReadWrite.All

Assign licenses to users and groups

Required for license management through Okta.

Directory.ReadWrite.All

Read directory data

Used for directory management.

If LicenseAssignment.ReadWrite.All is granted, you can safely revoke this permission.

The User.Read permission isn't required. If you previously granted this permission, you can revoke it.

Provide Microsoft admin consent for Okta

You can provide admin consent in two ways:

Provide Microsoft admin consent for provisioning

To facilitate provisioning from Okta to Office 365, you must authenticate and grant admin consent to allow Okta to access Microsoft Graph APIs.

If you're enabling provisioning for the Office 365 app for the first time, follow these steps:

  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365ProvisioningIntegration.
    2. Select the Enable API integration checkbox.

    3. Click Authenticate with Microsoft Account.

      You're redirected to the Microsoft account sign-in page.

  2. In Microsoft, complete the following:
    1. Sign in to Microsoft as a global admin for your Microsoft tenant.
    2. Read and accept the instructions that are listed on the Okta Office 365 Graph Client - SSO page.
  3. Save the settings in the Okta Admin Console.

Re-authenticate Microsoft admin consent for provisioning

If your org enabled provisioning before December 2021, you must reauthenticate to grant admin consent before you modify the provisioning settings. This is required because the permissions that Okta requests have changed.

If you've already enabled provisioning for the Office 365 app and need to re-authenticate, follow these steps:

  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365ProvisioningIntegrationEdit.

    2. Click Re-authenticate with Microsoft Account.

      You're redirected to the Microsoft account sign-in page.

  2. In Microsoft, complete the following:
    1. Sign in to Microsoft as a global admin for your Microsoft tenant.
    2. Read and accept the instructions that are listed on the Okta Office 365 Graph Client - SSO page.
  3. Save the settings in the Okta Admin Console.

Provide Microsoft admin consent for SSO

  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365Sign OnEdit.
    2. In the Sign on methods section, ensure that WS-FederationAutomatic is selected.
    3. In the Office 365 Domains section, click Start federation setup. You're redirected to the Microsoft account sign-in page.
  2. In Microsoft, complete the following:
    1. Sign in to Microsoft as a global admin for your Microsoft tenant.
    2. Read and accept the instructions that are listed on the Okta Graph API Client - Federation page.
  3. Back on the Sign On tab, click Federate domains, and select the domains to federate with Okta. You must federate at least one domain to complete authentication.
  4. Optional. To grant permissions for OAuth-based apps, complete the following in the Okta Admin Console:
    1. In the API Credentials section, select Allow administrator to consent for Advanced API access.
    2. Click Authenticate with Microsoft Account. You're redirected to the Microsoft account sign-in page.
    3. Sign in to Microsoft as a global admin for your Microsoft tenant.
    4. Read and accept the instructions that are listed on the Okta Microsoft Graph Client page.
  5. Save the settings in the Okta Admin Console.

Reauthenticate Microsoft admin consent for SSO

You must reauthenticate the existing Microsoft admin consent for Okta in the following cases:

  • If you add a new Office 365 app to the Okta End-User Dashboard and that app requires OAuth.
  • If the URL for an Office 365 app changes.
  1. In the Okta Admin Console, complete the following:
    1. Go to ApplicationsOffice 365Sign OnEdit.
    2. In the Sign on methods section, ensure that WS-FederationAutomatic is selected.
    3. In the Office 365 Domains section, click Re-authenticate with Microsoft Account. You're redirected to the Microsoft account sign-in page.
  2. In Microsoft, complete the following:
    1. Sign in to Microsoft as a global administrator for your Microsoft tenant.
    2. Read and accept the instructions listed on the Okta Graph API Client - Federation page.
  3. Optional. To grant permissions for OAuth-based apps, complete the following in the Okta Admin Console:
    1. In the API Credentials section, ensure that Allow administrator to consent for Advanced API access is selected.
    2. Click Re-authenticate with Microsoft Account. You're redirected to the Microsoft account sign-in page.
    3. Sign in to Microsoft as a global admin for your Microsoft tenant.
    4. Read and accept the instructions that are listed on the Okta Microsoft Graph Client page.
  4. Save the settings in the Okta Admin Console.

Related topics