This article discusses why the Global Admin role is needed for the service account used for federation or enabling provisioning for Microsoft Office 365.
- Office 365
- Federation
- Provisioning
- Permissions
Administrators are concerned about leaving Global Admin Permissions enabled for the account used to Authenticate Provisioning or Federation.
Okta needs Global Admin permissions for the service account used to federate and provision between Okta and Microsoft Office 365, and these permissions need to remain even after the initial configuration. Microsoft and Okta require these permissions for security reasons. Therefore, only admins can consent to larger scopes and more significant permissions, while users’ consent is scoped to the users' data and capabilities.
See the scenarios below for more information:
- The O365 Global Admin Account used for Automatic Federation must remain a Global Admin.
- The O365 Global Admin Account used for Authenticating Provisioning can be placed in the least privileged state, as we rely on the Graph API to perform Provisioning actions.
- NOTE: Please re-authenticate the API. The O365 Account Global Admin permissions must be granted again.
- If the same account is used for Automatic Federation and Authenticating Provisioning, the Global Admin Permissions must remain.
