Every application that supports the System for Cross-domain Identity Management specification (SCIM) protocol will require a form of authentication (either by using a service account, a delegated OAuth token with the proper permissions, or an API Token generated in the application interface) to successfully provision user identities through CRUD operations, group provisioning, and other operations that are supported under the vendor implementation.
Microsoft Office 365 is no exception to that rule. Both functionalities, Web Services Federation Protocol (WS-FED) and provisioning, require a service account to authorize the federation process and grant access to the Microsoft Graph API Client.
- Microsoft Office 365 (O365)
- Okta Classic Engine
- Provisioning
The misconfigured service account is lacking permissions or uses Multi-Factor Authentication.
The Microsoft Office 365 account, which is used to integrate Okta with Office 365 to enable Provisioning and WS-Federation, requires the following:
- Global Administrator role.
- Multi-Factor Authentication (MFA) is enabled for this account on the Office side.
