• Office 365
• Provisioning
• Universal Sync

Each user provisioned for Office 365 has an attribute, StsRefreshTokensValidFrom, which is a date that invalidates existing login sessions and refreshes tokens when the user changes their password, requiring the user to log into their apps again. This attribute is automatically calculated and populated based on the Provisioning Type.

• License Only or Profile Sync: The StsRefreshTokensValidFrom attribute is set to the current date and time when the user changes their password in Okta.
• User Sync or Universal Sync: If the user is linked from Active Directory, the StsRefreshTokensValidFrom attribute is set to the pwdLastSet attribute in Active Directory. For all other users, the StsRefreshTokensValidFrom attribute is set to the current date and time when the user changes their password in Okta.

If the User Sync or Universal Sync provisioning type is selected, all users appear as Synced with Active Directory in the Office 365 tenant, irrespective of where their profile is sourced from. However, the user is still sourced from the source directory.

Also:

• User Sync and Universal Sync can’t be used with Directory Synchronization, Azure Active Directory (AAD) Sync, or Azure Active Directory Connect.
• Universal Sync also does not support JIT-enabled Active Directory instances.
• Once Universal Sync is configured, users can no longer be updated directly in Azure AD. Changes must occur at the source of truth and be synced across. In this case, the OnPrem AD domain was selected during the Universal Sync provisioning configuration.
• If Hybrid AAD Domain Joined devices or access is used or might be used in the future. User Sync or Universal Sync cannot be used.

Related References

• Provision users to Office 365
• Provisioning options for Office 365
• Typical workflow for integrating Hybrid Azure AD Join
• Prerequisites for Integrating Hybrid Azure AD Join