<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
EAM GUID Load from Entra ID Workflow
Sep 22, 2025
Workflows
Okta Identity Engine
Overview

External Authentication Method (EAM) for Microsoft Entra ID allows Entra ID to leverage an external authentication provider like Okta as a Multi-factor Authentication (MFA) provider within Entra ID Policy, reducing the overhead requirement to configure and manage both Okta Verify and Windows Hello authenticators across both platforms. When configuring Okta as an External Authentication Method (EAM) for Microsoft Entra ID, it will be necessary to translate the Microsoft user GUID to the Okta Application User Profile to complete the EAM link. It is possible to do this manually or via API, but one possible method would be to use a Workflow like the following example.

 

NOTE: This is not related to Office 365 (O365) or Microsoft 365 (M365) and does not impact provisioning on those apps. It is a configuration isolated to Microsoft's EAM MFA function and Okta EAM integration configuration.

Applies To
  • Okta Identity Engine (OIE)
  • External Authentication Method (EAM) for Entra ID via Okta
  • Microsoft Azure AD
  • Workflows
Cause

As outlined in the EAM documentation, it is necessary to map the Microsoft user ID into the Okta EAM App User Profile for the users assigned to the EAM app in Okta.  This is outside the scope of the initial application setup and requires a manual or custom solution to insert the expected profile data.

Solution

Build a new flow using the example EAM.flow described below as a starting point template for this requirement.

  1. Complete EAM application configuration in Okta and EntraID as documented. Save the Okta application ID.
  2. The example flow is not available as a template and cannot be directly attached here, so it will be necessary to create a new flow.
  3. Configure cards as shown in the flow screenshot below.
  4. Configure and select the connectors for the Okta org and Azure AD environment.
  5. Configure the first and final workflow card settings to utilize the EAM application that was previously created in Okta. 
  6. Enable the flow and ensure test users successfully complete the flow with the updated App User Profile result.

See the flow connection methodology below:

Example Flow Connections

 

Flow Outline:

  1. Get the assigned user's Okta ID.
  2. Read that user email attribute.
  3. Read the Azure User ID for that email.
  4. Compose a property in JSON format using that Azure User ID.
  5. Update the assigned Application User Profile with the mapped Azure User ID.

NOTE: 404 errors are expected if the user's email does not exist in Azure.  

  • Consider building additional error-handling logic or reporting cards into the flow to increase resilience.

Recommended content

Still looking for help?
Loading
EAM GUID Load from Entra ID Workflow