The Single Sign On (SSO) flow of a federated Microsoft user fails with the following error:
Office 365 Login Failure
Your account has not been configured for this application. Please contact your Okta administrator and ask them to import your account from Active Directory.
- Office 365
- Single Sign On
- Federation
- Error
The most common cause of this error is that the ImmutableID value is either missing or does not match the existing ImmutableID value in the Microsoft user profile's properties.
To check the ImmutableID value, click on the Office integration's Assignments tab and click on the Edit app assignment button next to the affected Office user.
- The ImmutableId value will be blank if the user is not sourced from an OnPrem AD integration.
- If there is no OnPrem AD integration from where the value can be mapped, the ImmutableId mapping will have to be changed to a different Okta attribute that has to be unique and never change. The Okta user ID is unique. This value never changes unless the user is deleted and recreated in Okta.
- From the Okta admin dashboard, access the Profile Editor section.
- Look for the application profile of the Office 365 instance and click on it.
- Choose the Okta User to Office 365 section.
The ImmutableID value needs to be populated from Okta to Office using one of the following expressions:
-
Non-AD users use this expression to use the Okta user ID as the immutableID:
user.getInternalProperty("id") -
For both AD and non-AD users, use this expression to populate the immutableID:
hasDirectoryUser()?findDirectoryUser().externalId:user.getInternalProperty("id")
NOTE: The second expression will generate an ImmutableID value for an Okta user with or without an Active Directory assignment. The expression uses this logic to populate the ImmutableID value:
- Check IF the user has an Active Directory assignment.
- (if TRUE) THEN, it will set the ImmutableId using the AD profile's External ID field value.
- (if FALSE) ELSE then it will set ImmutableId using the Okta User ID value.
