How does the password flow takes place from O365? Skip to main content
https://support.okta.com/help/answers?id=9062a000000quiyqak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Global AdminGlobal Admin 

How does the password flow takes place from O365?

We are in the process of integrating O365 with our Okta org and we have a query on this. First let me explain our scenario. We have on-premise AD integrated with Okta through AD agents and AD mastered users are created in Okta. We want our existing ADFS based authentication for O365 to be replaced by Okta.
Now since we have AD mastered users so the passwords will be managed by AD, so if for any user password is changed in AD will it be synced to O365. Suppose a user is using Outlook client then in that case when will the user be prompted for a new password?
In case the user do not enter new password will his account get locked in Okta?

We are in confusion on the usage of Outlook mobile app as well bevause our users use that too how will the authentication take place in that?

Please reply as early as possible, it will be very helpful as it is quite urgent for us
Kevin TurnerKevin Turner (Okta, Inc.)
Wow, there are a lot of questions here, lets start...

As part of your Okta to Office 365 configuration, if you are using Okta to provision user's to Office 365 you can select the ability to synch the user's password to be the same as Office 365.
User-added image

Second thing. If using the modern rich client the user will be automatically challenged to re-validate their password by Office 365 the next time they fire up the client. The checking of it will be via O365, but performed by Okta, and if correct the revised password will then be cached locally with the rich client.

The user would need to answer to change the password and should not lock themseleves out (assuming they know the new password). As a point of interest there is a capability to perform a soft lock to Okta accounts before you lock out AD mastered user accounts that might be useful as well. There's some useful information here https://support.okta.com/help/Documentation/Knowledge_Article/Authentication-1407894845 and search down to  Configure lockout settings where it describes the capability.

If you are using Okta Mobile to access the Office 365 tenant, Okta will make use of the embeded browser and perform a federated authentication to Office 365. So the only thing the user needs to do is select Okta Mobile and authenticate to the application with their pin, and select O365.

If its the Microsoft Outlook mobile app, it has a built in browser and will prompt the user for their username/email address, and then trigger a federated authentication flow with Office 365 via Okta, so they will use their AD username and Password.

Hope that all helps.