Configure Okta as an external authentication method for Microsoft Entra ID

Early Access release. See Enable self-service features.

Microsoft Entra ID now supports external authentication methods (EAMs). This allows external authentication providers like Okta to be used as a second factor for accessing Microsoft resources or apps. See Microsoft Entra multifactor authentication external method provider reference.

Before you begin

Ensure that you have a Microsoft Entra ID account with admin privileges before following this procedure.

Start this procedure

This procedure requires configurations in Microsoft Entra ID and Okta to enable the two products to exchange EAM tokens with each other.

Register the app in Microsoft Entra ID

This is the app that integrates Microsoft Entra ID with Okta. It's used for exchanging EAM tokens with Okta.

Register an app in Microsoft Entra ID. In Redirect URI, select the Web platform type, and then enter the path to your Okta org authorization endpoint in the field. This is the URL where Microsoft Entra ID makes the authorization request to Okta. The URL looks like this: https://<org-name>.okta.com/oauth2/v1/authorize.
See Configure a new external authentication provider with Microsoft Entra ID.
Copy the Microsoft Application ID and Microsoft Tenant ID and paste them in a secure location. You need these items when you configure the following items:
- The Microsoft Entra ID External Authentication Methods app in Okta
- The EAM in Microsoft Entra ID

Configure the Microsoft Entra ID External Authentication Methods app in Okta

This is the app in Okta that receives the EAM tokens from Microsoft Entra ID.

If you rename this app, replace references to this app with the name of your app in this procedure.

In the Admin Console, go to ApplicationsApplications.
Click Browse App Catalog.
Search for and select the Microsoft Entra ID External Authentication Methods.
Click Add Integration.
Enter the Microsoft Tenant ID that you copied from Microsoft Entra ID.
Enter the Microsoft Application ID that you copied from Microsoft Entra ID.
From Microsoft Tenant Type, select one of the following options:
- Global Azure: Select this option for regular Microsoft accounts.
- Azure for US Government: Select this option for US government Microsoft accounts.
- Microsoft Azure operated by 21Vianet: Select this option for Microsoft accounts that were opened in China.
Click Done.
Optional. Select the Assignments tab and then assign the app to users and groups. See Assign app integrations.
Select the Sign On tab. In the Settings section, click the Copy to clipboard icon for the client ID. Paste the client ID in a secure location.

Create an EAM in Microsoft Entra ID

The EAM is the engine in Microsoft Entra ID that manages the authorization requests.

Ensure that the app that you've secured in Microsoft Entra ID has a multifactor authentication (MFA) policy assigned to it in Microsoft Entra ID. Otherwise, you can't invoke an EAM flow.

Follow the instructions for creating an EAM in the Microsoft Entra ID admin center. See Create an EAM in the admin center.
Enter these properties in the form:
1. Enter a descriptive name, like Okta MFA.
2. Enter the client ID that you copied from Okta in the Client ID field.
3. Enter the Discovery Endpoint URL with the client ID appended at the end:
  https://<org-name>.okta.com/.well-known/openid-configuration?client_id=<client id>.
4. Enter the Microsoft Application ID in the App ID field.
Click Request Permission.
Select the account that you're setting up from the Pick an account page.
Click Accept on the Permissions requested page.
Select the Enable toggle in the Enable and target section to turn the EAM on.
Click Save on the Add external method (Preview) page.

Map the Microsoft user into Okta

In this procedure, you let Okta know which app user to authenticate when an EAM request is made for the associated user in Microsoft Entra ID. This ensures that the same end user is authenticated in both Microsoft Entra ID and Okta.

Map the user account with the Microsoft Entra ID admin center and the Okta Admin Console

Go to the Microsoft Entra ID admin center.
Click Users.
Search for and select the Okta user.
Click the Copy to clipboard icon beside the Object ID. Paste this ID in a secure location.
In Okta, open the Microsoft Entra ID External Authentication Methods app:
1. In the Admin Console, go to ApplicationsApplications.
2. Select the Microsoft Entra ID External Authentication Methods app. This name might be different in your org.
Select the Assignments tab and then click AssignAssign to People or Assign to Groups.
Click Assign beside the user account that corresponds to the admin user in the Microsoft Entra ID admin center.
Paste the Microsoft User ID from the Microsoft Entra ID admin center into the Microsoft User ID field.
If you don't provide the Microsoft user ID, the EAM fails during authentication.
Click Save and go back.
Click Done.

Other ways to map the Microsoft user account into Okta

Use the Okta API. See Assign an application user in the Okta Developer Documentation.
Use Okta Workflows to automatically assign the Microsoft user ID to every user assigned to the Okta Microsoft Entra ID External Authentication Methods app. App assignments trigger System Log events, which trigger event hooks. Okta Workflows uses these events to populate the Microsoft user ID. See Entra ID Configuration Export & Migration to Okta, User Assigned to Application, and Event hooks.

End-user experience

This section describes the steps that the user follows to authenticate with Okta to gain access to a Microsoft-protected app.

A user signs in to an app protected by Microsoft Entra ID.
The user is prompted for MFA if the Microsoft Entra ID Conditional Access policy requires it.
The user selects Microsoft EAM.
The user is redirected to Okta for authentication.
The user authenticates with Okta using the authenticators that are required by their Okta policies.
If the user authenticates successfully, Okta redirects the user to Microsoft Entra ID.
Microsoft Entra ID signs the user in to the protected app.

System Log field

Okta records the correlation ID from Microsoft in the debugContext.debugData.microsoftEntraExternalAuthenticationMethodClientRequestId field in the Okta System Log. This tracks Okta requests in the EAM flow. If there's an error, Microsoft displays the value as Correlation ID to the user. Include the correlation ID in any requests that you submit to Okta Support.

Troubleshoot the integration

The default authentication requirement in the authentication policy for the Microsoft EAM app in Okta is one factor. That's because Okta provides a single step-up factor to complete the Microsoft authentication flow. You can update the authentication policy, but if it can't satisfy Microsoft's authentication requirements, the integration triggers errors and may fail.