Authorization

When you add an Azure Active Directory card to a flow for the first time, Okta prompts you to configure a connection. This creates a connection to your Azure Active Directory account, and also saves your account information so you can reuse the connection for any future Azure Active Directory flows.

When you create a connection for the first time, Okta recommends that you use an Azure Active Directory administrator account.

Applications

For your convenience, Okta has created Azure Active Directory OAuth applications:

• Azure Active Directory for Okta Workflows, for connections to Okta Workflows production orgs

• Azure Active Directory for Okta Preview, for connections to Okta Workflows preview orgs

When you create a Azure Active Directory connection in Okta Workflows, Okta automatically creates this app as a service principal object in your Azure tenant.

The object in your Azure tenant references a registered app object from the Okta Azure tenant. There's no additional configuration required on these service principal objects.

Office 365 GCC High tenants

Okta Workflows in Okta for Government High only supports connections using accounts from Office 365 GCC High tenants.

Before you begin

These are the prerequisites for adding an Azure Active Directory card to a flow.

Scopes

Make sure that you have enabled the supported OAuth scopes. See Guidance for Azure Active Directory connector.

Connections

• Create a connection with an Azure Active Directory administrator account

• Create a connection with an Azure Active Directory user account

• Prohibit users from creating connections

• Reauthorize a connection

Create a connection with an Azure Active Directory administrator account

1. In your Workflows Console, open the Connections page.

2. Click New Connection.

3. In the New Connection dialog, select the Azure Active Directory connection from the list.

4. Enter a unique Connection Nickname. This is useful if you plan to create multiple Azure Active Directory connections to share with your team.

5. Click Create.

6. Sign in to your Azure Active Directory account to authorize the connection.

7. Select one of the following options:

   • As an admin you don't want regular users to create connections. Click Accept and make sure that the Consent on behalf of your organization option isn't selected.
   • As an admin you want regular users also able to create connections. Click Accept and select the Consent on behalf of your organization option. All user accounts in your organization can create connections.

Create a connection with an Azure Active Directory user account

1. In your Workflows Console, open the Connections page.

2. Click New Connection.

3. In the New Connection dialog, select the Azure Active Directory connection from the list.

4. Enter a unique Connection Nickname. This is useful if you plan to create multiple Azure Active Directory connections to share with your team.

5. Click Create.

6. Sign in to your Azure Active Directory account to authorize the connection.

7. Select one of the following options:

   1. Can accept the permissions requested directly. By selecting this option, the admin allows regular user consent for this Okta app.
   2. Need admin approval. Users must contact an admin to grant access to the application. See Consent for all apps or Grant tenant-wide admin consent
   3. Need to submit an approval request. Users must enter a justification request for this app in the space provided. See Enable the admin consent workflow.

8. Click Accept.

Admin app approval

Admins can grant Okta app access to regular user accounts. When configuring a connection, if an admin forgets to select the Consent on behalf of your organization option and clicks Accept, the authorization page might not use the same admin account. This is because the Okta app authorized the connection and is remembered by the system.

The following tasks provide other ways for an admin to grant regular user accounts access to the Okta app.

Consent for all apps

This task allows for user consent for all apps or for apps from verified publishers, provided for selected permissions. Configure permissions as Global Admin only. See Configure how users consent to applications.

1. In the Azure Portal, select Azure Active DirectoryEnterprise applicationsConsent and permissionsUser consent settings.

2. Select one of the following permissions options:

   • Allow user consent for apps. This option is less secure.
   • Allow user consent for apps from verified publishers. This option is more secure. Configure the permissions as low impact. See Guidance for Azure Active Directory connector.

3. From Enterprise applications go to the Admin consent requests page and review and grant access.

Grant tenant-wide admin consent

You can grant tenant-wide admin consent for an Okta app only if authorized by your admin account or any other admin accounts. See Grant tenant-wide admin consent to an application.

1. In your Azure Portal, go to Azure Active DirectoryEnterprise applications.

2. Select one of the following Okta apps:

   • Azure Active Directory for Okta Workflows.
   • Azure Active Directory for Okta Preview

3. Select PermissionsGrant admin consent.

   All regular user accounts in your organization have been granted consent to the Okta app.

Enable the admin consent workflow

Enable regular users to request access to applications that require admin consent. Users can't directly create connections until the admin approves the request. Configure permissions as Global Admin only. See Configure the admin consent workflow.

1. In your Azure Portal, select Azure Active DirectoryEnterprise applications.
2. Under Manage, select User settings.
3. Under Admin consent requestsUsers can request admin consent to apps they are unable to consent to, select Yes. See Configure the admin consent workflow.
4. From Enterprise applications go to the Admin consent requests page and review and grant access.

Prohibit users from creating connections

Remove admin consent that was granted previously by deleting the Okta app in Enterprise applications and then reauthorize it. Deleting the app revokes the admin consent tenant-wide. Revoking individual user consent isn't allowed.

All existing connections stop working after one hour. For previously configured admin connections that you want to keep active, manually reauthorize them and use the consent process to avoid connection failure.

1. In your Azure Portal, select Azure Active DirectoryEnterprise applications.

2. Select one of the following Okta apps:

   • Azure Active Directory for Okta Workflows
   • Azure Active Directory for Okta Preview

3. Select Delete.

Admin consents previously granted are revoked and regular users can't create connections until admin consent is granted.

Reauthorize a connection

If you've used your account to create a connection successfully, you can use this account to create multiple connections. If you've already created connections you can reauthorize these connections as long as there are no configuration changes made by the admin.

Related topics

Azure Active Directory connector

Workflow elements

Guidance for Azure Active Directory connector

Azure Active Directory Management API overview