How do I use automatic provisioning of office 365 user failing Skip to main content
https://support.okta.com/help/answers?id=906f0000000bllaiay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
ThomasThomas (Okta, Inc.)  

How do I use automatic provisioning of office 365 user failing

Best Answer chosen by Thomas (Okta, Inc.) 
ThomasThomas (Okta, Inc.) 
"Automatic provisioning of user [Current O365 Azure UPN] to app Microsoft Office 365 failed: Could not push profile for Office 365 user [Current O365 Azure UPN] received error: 400 You must provide a required property: Parameter name: FederatedUser.SourceAnchor."

Okta Office 365 User Management will fail if the ImmutableId value in Okta doesn't match what has been set in Office 365. There are a couple of ways this can happen. In order to fix it, you need to set the ImmutableId in office 365 to the correct value. If the User is an AD user, the ImmutableID is set to AD GUID. If the user is an Okta Only User, the immutable ID is set to the application assignment ID. You can see the ImmutableId in office 365 by running the following Azure PowerShell Commands:

get-msoluser -UserPrincipalName [Current O365 Azure UPN]| select *

If this does not match the AD GUID or the app assignment ID it can be reset only by changing the UPN to a non-federated domain. Once you switch the UPN for the user to a non-federated domain, reset the the ImmutableId and then change the UPN back using the following commands:

Set-MsolUserPrincipalName -UserPrincipalName [Current O365 Azure UPN] -NewUserPrincipalName [temp@yourdomain.onmicrosoft.com]


Set-MsolUser -UserPrincipalName [temp@yourdomain.onmicrosoft.com -ImmutableId [Either the GUID in AD or the App Assignment ID]

Next, re-run the get command for the temp user to make sure the ImmutableId was reset.

get-msoluser -UserPrincipalName [temp@yourdomain.onmicrosoft.com]| select *


If the domain is correct, set the username back and give office 365 a couple of minutes then try re-running the user management in Okta.

Set-MsolUserPrincipalName -UserPrincipalName [temp@yourdomain.onmicrosoft.com] -NewUserPrincipalName [Previous O365 Azure UPN]

Original Author: Joel Hanson, Sales Engineer, Okta

All Answers

ThomasThomas (Okta, Inc.) 
"Automatic provisioning of user [Current O365 Azure UPN] to app Microsoft Office 365 failed: Could not push profile for Office 365 user [Current O365 Azure UPN] received error: 400 You must provide a required property: Parameter name: FederatedUser.SourceAnchor."

Okta Office 365 User Management will fail if the ImmutableId value in Okta doesn't match what has been set in Office 365. There are a couple of ways this can happen. In order to fix it, you need to set the ImmutableId in office 365 to the correct value. If the User is an AD user, the ImmutableID is set to AD GUID. If the user is an Okta Only User, the immutable ID is set to the application assignment ID. You can see the ImmutableId in office 365 by running the following Azure PowerShell Commands:

get-msoluser -UserPrincipalName [Current O365 Azure UPN]| select *

If this does not match the AD GUID or the app assignment ID it can be reset only by changing the UPN to a non-federated domain. Once you switch the UPN for the user to a non-federated domain, reset the the ImmutableId and then change the UPN back using the following commands:

Set-MsolUserPrincipalName -UserPrincipalName [Current O365 Azure UPN] -NewUserPrincipalName [temp@yourdomain.onmicrosoft.com]


Set-MsolUser -UserPrincipalName [temp@yourdomain.onmicrosoft.com -ImmutableId [Either the GUID in AD or the App Assignment ID]

Next, re-run the get command for the temp user to make sure the ImmutableId was reset.

get-msoluser -UserPrincipalName [temp@yourdomain.onmicrosoft.com]| select *


If the domain is correct, set the username back and give office 365 a couple of minutes then try re-running the user management in Okta.

Set-MsolUserPrincipalName -UserPrincipalName [temp@yourdomain.onmicrosoft.com] -NewUserPrincipalName [Previous O365 Azure UPN]

Original Author: Joel Hanson, Sales Engineer, Okta
This was selected as the best answer
Palak ChhedaPalak Chheda
What is the App Assignment ID that is referenced here? and how can we retrieve that for every user?