Okta Help Center - Blogs Skip to main content

Office 365 Integration Enhancements

Dec 21, 2016 | by Marc Jordan in Office 365
Office 365 continues to grow in popularity as one of most-used applications in the Okta Application Network and we've been keeping busy building out new and differentiated integration points to Microsoft's suite of cloud productivity tools. Today, I wanted to take you through some of these enhancements as well as give you a sneak peak of what we have coming in the product.

Updates to Office 365 Application Chiclets: The Okta dashboard is your one-stop shop for getting access to all of your applications, both on-premises and in the cloud. We heard resounding feedback that getting direct access to all of the applications you have available in Office 365, straight from Okta, was a great way for new and existing users to be more productive. With that in mind, we've just finished adding a wealth of new, customizable application chiclets for your Office 365 users. Key additions include Yammer, Sway, Dynamics CRM as well as many more. There's more Office 365 chiclets we're working on, so watch this space as we continue to improve the experience for your end-users and administrators.

New Chiclets on Okta's Dashboard for Office 365

Improved Onboarding Experience with Okta Cloud Connect: Office 365 is also one of the most commonly selected applications for Okta's Cloud Connect offering and we want to be sure that you can get up and running in no time. We've recently made some significant changes to this experience in order to streamline your Office 365 setup. The updates to Okta Cloud Connect for Office 365 allow you to easily build a customized deployment experience, based on your environment's current configuration and desired end-state. Best of all, we automate most of the scripting and deployment steps to save you having to bounce around other servers and portals. Watch the short video below as we take you through and end-to-end configuration of Office 365 with Okta Cloud Connect.

OCC Video - Configuring Okta Cloud Connect with Office 365

Profile Photo Synchronization (Active Directory to Office 365) [BETA]: One of the frequently requested enhancement requests we get for our integration with Office 365 is to enable the synchronization of photo's from Active Directory to Office 365, enabling a more personalized experiences for sending email and collaborating. Our Beta program for Profile Photo synchronization is now available, to read more about these enhancements and get involved in the Beta program, be sure to have a look at our Beta Sign-Up Portal for more information and assistance getting started.

Enhanced Offboarding for Office 365 [Sneak Peek]: For many years now, Okta has been able to granularly manage roles and licenses that are assigned in Office 365 enabling customers to save money in Office 365 licensing as well as in manual efforts. Our enhanced offboarding functionality enables Office 365 customers to have complete, end-to-end control over both the assignment and un-assignment of licenses and roles. This means that you can stop those scheduled tasks and manual processes that might have existed to disable access and re-allocate your Office 365 licensing. Our soon to be available offboarding functionality in Office 365 will enable you to Block Access, Block Access and Remove Licenses, and/or Block Access and Remove Licenses after a customizable period of time. Remember to watch this space for updates and more details as we release this functionality to Beta and General Availability.

Enhanced Offboarding Workflow for Office 365

We can't wait for you to get started with these new capabilities, remember to drop us a line in the community if you've got any questions or to post your thoughts and ideas about upcoming features.

New EA Feature: Delete User

Dec 14, 2016 | by Aaron Yee in Provisioning

Hi valued customers! It's nearing the end of the year, which means it's time to tidy things up – your yard, your personal finances, and your Okta org. You can now permanently delete a user from Okta. (short pause as it sinks in) Applause!  

This has been a long-awaited feature, and I'm happy to announce that it is in early access (EA). This means that you can use it in production environments; it's fully supported. Just contact our support team to request the feature, and they will happily turn it on for you. 

Deleting a user is useful in the following situations:

  • You accidentally created a user and want to remove the account from Okta 
  • You want to reuse a previously created username 
  • You want to delete a username that has changed (perhaps because of marriage) 
  • You want to purge your Okta org of users who are no longer in your organization

  • Before an account can be deleted, it must first be deactivated
  • You can deactivate an account via the GUI or API 
  • Once a user account is deleted, an admin can create a new Okta user with the same user name as the deleted one 
    • The new user account will not be associated with the previously deleted user account 
    • For example, app or group assignments will be completely new 
  • Only the following admin roles can delete a user: Super admin, Org admin, and User admin
  • ​The Okta system log retains past events that the deactivated user performed 
    • Log retains the last 6 months of activity 

Using the Feature  
An Okta account can be deleted via the UI or GUI. 

To delete via the GUI:  

  • Log in to Okta as an administrator
  • ​Find a deactivated user under Directory > People  
  • Select the user 
  • Click the Delete button

User-added image

To delete via the API: 

DELETE .../users/:id 

The user will irrevocably be removed from view after this call. Cleanup may happen asynchronously. Refer to the API docs (developer.okta.com) for more details.

Okta Verify for iOS adds Multiple Account Support

Nov 18, 2016 | by Eric Karlinsky in Security
If you’re an Okta admin who logs into multiple Okta orgs to do your job—I’ve got great news: Okta Verify for iOS now supports multiple accounts! That means you can take advantage of the buttery smooth Okta Verify with Push experience for all of your Okta orgs (and other services, too).

By the way, this new app includes some other cool changes that we think you’ll like. Let’s take a tour, starting with...

Multiple Account Support

There’s now an 'Add Account' button on the bottom of the Okta Verify screen. Tap that, and you will be taken to the QR code scanner interface to scan a new account. Just follow the enrollment instructions in Okta to add the account.

Once you’ve got multiple accounts on the app, the user experience changes; now in place of the rotating Okta Verify dial, you’ll see this:
User-added image
Mind. Blown. Right?

Okay, so maybe it’s not life-changing, but we think it’s a huge improvement. Let’s take a closer look at what’s new. First, when multiple accounts are set up, the classic dial is replaced by a timer bar on the top. See the gray and blue bar right below the blue banner on top? That’s the new TOTP countdown—when that bar fills up, you’ll get a new set of OTP codes for all of your accounts. Also, you should see a label above the code and your username below it, to help you keep track of which one to use.

You can also change the labels by tapping 'Edit' in the top-right. That switches the app to edit mode, which looks like this:
User-added image
In Edit mode you can move the accounts up or down by dragging the gripper icons on the right of each account:
User-added image
You can also edit the labels by simply tapping on them. Tap Enter to confirm.

You can delete account by tapping the delete icon here:
User-added image
You can even add third party accounts in this way, too. Consumer services like Gmail, LastPass and others support a QR-code based enrollment, which means you can use the OTP mode of Okta Verify for these apps. Just follow the enrollment process in accordance with the app’s instructions.

Updated Touch ID Experience​

We’ve improve the TouchID experience in this release in two ways: First, the OTP is now obfuscated by default if TouchID is enabled for the respective Okta org. It looks like this:
User-added image
Just tap on the thumbprint icon, you’ll be prompted for TouchID, then the digits will be revealed. This adds an extra layer of security for TouchID enabled Okta tenants.
We’ve also improved the end user experience from the lock screen. Now, when your iPhone is locked and you receive a notification, you can slide it, accept and then you’re prompted for TouchID right on the lock screen.
 User-added image
Previously, you had to unlock first, then open the Verify app and scan your finger. We think this is a much better experience for end users.

That’s about it! We hope you like these improvements—we know some customers have been waiting for multiple account support for a while and we’re excited to finally deliver.

If you have any feedback, please email mfa@okta.com. And if you want to learn more about how Okta can meet your MFA needs, please contact your Okta rep.

SCIM Provisioning Developer Program

Nov 16, 2016 | by Kevin Gough in Okta Application Network

Increasingly, you expect your cloud application providers to support advanced provisioning features in order to automate user lifecycle management for an application, including account creation, profile updates, authorization settings, and account deactivation.

Okta’s developer program helps cloud service providers quickly integrate with Okta, using the SCIM standard, to enable advanced provisioning. The program includes:

  • Hands-on workshops (Schedule)

  • Step-by-step documentation

  • Free Okta Developer Edition license

  • QA tools

  • Dedicated support

Most recently, we added four more apps via Okta, thanks to the SCIM Provisioning Developer Program: SRXP, MindTickle, Instructure, and Woolloo.

Is there an app you’d like to see as part of the program? Tell your app vendors to join with this email template.

Tips and Tricks with Okta's Desktop SSO (DSSO) Agent

Oct 13, 2016 | by Marc Jordan in Managing Apps with Single Sign On
At Okta, we see a lot of our customers using the Desktop SSO Agent to enable them to perform seamless Single Sign-On between their on-premises Active Directory and the Okta Service. We’ve worked hard to keep the installation experience as simple as possible, however there’s a lot you can do with the DSSO agent to further improve security and usability for your end-users.
Using SSL for your Deployment
First and foremost, we always recommend that you transition to using Secure Sockets Layer (SSL) with the on-premises agent. This is important to provide the utmost security, but it is also a hard requirement for some applications to successfully authenticate (in particular, Windows 10 Universal Applications such as OneNote, Mail etc). In order to switch to using SSL, you should follow the steps in the Desktop SSO Deployment Guide. As Domain joined computers will be the primary audience for DSSO, there’s no need to purchase an SSL certificate from a third-party if you have an internal Certificate Authority. These computers will, by default, trust the SSL certificate issued to the DSSO agent.
Your DSSO agent can support bindings on both port 80 and port 443 simultaneously, so remember to test out the change for yourself, prior to reconfiguring Okta to point to the HTTPS binding. This will stop any interruption to your user’s sign-on experience. To do so, simply copy the address of your IWA agent from Okta:
User-added image
Jump to a browser session, paste the existing link into the address bar, change the address to use ‘https’ and add Authenticated.aspx to the end of the link. If everything has gone to plan and your browse to the link, you should see the page below presented:

User-added image 
If everything looks good, and you’re ready to make the change, jump back to Okta and make the switch to HTTPS (Note: Simply change the address from http:// to https://, no need to add anything else to the IWA redirect URL).
Redirecting incompatible clients with IIS ARR
Throughout your enterprise, you'll no doubt have different types of devices, running different OS versions with different capabilities. A Windows device will probably be joined to your AD Domain, whereas that probably won't be the case for that iPhone. Because of this, some of these clients aren't going to be able to achieve Integrated Windows Authentication (with Kerberos or NTLM) and will need to use a forms-based login page. Within the Desktop SSO agent, we've added a customizable fallback interval if IWA has not succeeded, though sometimes you may want to optimize this experience for clients that you know will fail. In order to achieve this, one common configuration is to leverage Microsoft’s Application Request Routing IIS extension to redirect clients that do not support Integrated Windows Authentication back to Okta’s forms-based login page.  

To get started, you can find out how to install ARR on your IIS Server from our deployment guide.
Once you have ARR Installed, load up your IIS Manager Console, browse to your IWA Application and open URL Rewrite:
User-added image
You want to create a ‘Blank Rule’:
User-added image
Give it a descriptive name and then configure the rule as you see fit. In the example below, if any request hits the IWA Application and has a HTTP_USER_AGENT string containing Mobile it’s going to redirect the user to the Okta login page for my tenant.
User-added image
User-added image
If you need information about the User Agent String for a Device, http://www.useragentstring.com can easily give you a wealth of information to help make pattern decisions simple.
User-added image
You can also then test them as part of the IIS Conditions, ‘Test Pattern’ functionality:
User-added image
Have you got any custom configuration tips that could help out others? Drop us a line on the community and get the word out! As always, feel free to reach out and let us know how you’re going with your deployment.