Upon name/email address changes due to a life status event change, Microsoft Office 365 provisioning failed with the following error:

Automatic profile push of user <firstname> <lastname> to app Microsoft Office 365 failed: Could not push profile for Office 365 user received error: Received response with HTTP status code 400. httpStatusCode=400 errorCode=Request_BadRequest errorMessage="Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration." client-request-id=<client-request-id> request-id=<request-id> timestamp='Tue, 01 Nov 2022 15:52:08 GMT' method=PATCH url=https://graph.microsoft.com/v1.0/users/<immutable id>
 

After checking the Azure AD audit log by the client-request-id and the request-id value found in the Okta provisioning task error, the problematic update properties are lastName and displayName.

• Active Directory configured to sync with Azure AD (AAD) via Microsoft AADConnect/DirSync.
• Microsoft Office 365 (O365)
• Provisioning
• Licenses and roles

This issue occurs when:

•  The environment is configured to sync Active Directory with Azure AD using Microsoft AADConnect/DirSync.
•  Okta and Microsoft Office 365 Provisioning are enabled with any provisioning method other than Licenses/Roles Management Only.

The 400 error itself is being thrown by the Microsoft Graph API endpoint, as the Microsoft product itself does not allow the PATCH API update via MS PowerShell V1.0 API endpoint to apply the detected mapped attribute value changes for non-Licenses/Roles provisioning attributes change (such as first/lastname, displayName) to the corresponding provisioned Azure AD user object, which is also being sync/update via Microsoft AADConnect/DirSync.

Licenses/Role Management Only is the only provisioning option offered by Okta, which is supported with Microsoft AADConnect / DirSync as of now.
Presuming it is impossible to make any changes to the customer environment to disable Active Directory from syncing with Azure AD via Microsoft AADConnect / DirSync, then the only option to solve the issue from the Okta end by using the following steps:
 

1. Navigate to Okta Admin Dashboard > Applications > Applications > Microsoft Office 365 > Provisioning > To App > Edit.
2. Change the current provisioning type to Licenses/Roles Management Only.
3. Save the changes.

Related References

• Provisioning options for Office 365
• Supported user profile attributes for Office 365 provisioning