This article outlines the supported group types and configuration settings for using Okta's Group Push feature with Microsoft Office 365 (Entra ID). It covers how groups are created, the prerequisites for configuration, and common troubleshooting steps.

• Group Push and Provisioning for Microsoft Office 365
• Okta Identity Engine (OIE)
• Okta Classic Engine
• Okta Integration Network
• User Lifecycle Management
• Office 365 Integration

Several common issues and unsupported configurations stem from specific technical behaviors.

• Microsoft Graph API Limitations: Okta's native Group Push cannot create or manage certain group types (such as Mail-enabled Security Groups and Distribution Lists) due to limitations in the Microsoft Graph API, which does not support managing these group types through the methods used by the standard integration.
• On-Premises Active Directory Authority: Groups that are mastered in an on-premises Active Directory and synced to Entra ID (onPremisesSyncEnabled: true) cannot be managed by Okta's Group Push. The source of authority is on-premises, and the Microsoft Graph API blocks external membership updates from Okta.

Supported Group Types for Push

Okta's native Group Push functionality supports creating and managing specific types of groups in Microsoft Entra ID.

• Security Groups: When an Okta group is pushed, it is created as a Security Group in Microsoft 365 by default.
• Microsoft 365 Groups: Okta's native Group Push can also create and manage Microsoft 365 Groups (also known as Unified Groups).
• Mail-enabled Security Groups: This group type is not supported by Okta's native Group Push feature due to Microsoft API limitations. The officially recommended method for managing them is to use Okta Workflows to interact directly with the Microsoft Graph API.
• Distribution Lists (DLs): This group type is not supported for creation via Okta Group Push. Distribution Lists must be created and managed directly in Microsoft 365 or synced from an on-premises Active Directory, as referenced in this Okta documentation.

Group Linking

The Microsoft 365 application in Okta supports "Group Linking", which allows connecting an Okta group to a pre-existing group in the Microsoft 365 tenant, synchronizing their memberships.

Critical Limitations for Linking

• Cloud-Native Groups Only: Group Linking only works for groups that are native to the cloud (that is, created in Entra ID).
• On-Premises Synced Groups are Ineligible: A group that is synced from an on-premises Active Directory cannot be linked. These groups have their onPremisesSyncEnabled property set to true in Entra ID, which blocks external management. If a group does not appear in the list of linkable groups, it is likely an ineligible on-premises synced group.

Troubleshooting

• Inactive Status After a Change: If a group's name or description is changed in Okta after it has been pushed, the push mapping can become "Inactive." 
  • In this case, the push mapping needs to be reactivated from the Push Groups tab.
• General Sync Issues/Authorization_IdentityNotFound Error: This error indicates a problem with the API authentication.
  1. Verify the account used for the API integration under the Provisioning > Integration tab is a "Cloud-only Global Administrator" and is not subject to MFA.
  2. Re-authenticate the API connection by clicking Edit > Re-authenticate with Microsoft Office 365. Perform this action in a private/incognito browser window to ensure cached credentials are not used from a federated user.
  3. Click Test API Credentials to confirm the connection is successful before saving.
• Throttling Errors (HTTP 429 "Too Many Requests"): In large environments, frequent updates can trigger Microsoft's API rate limits.
  • To mitigate this, break large push operations into smaller batches. For rules, stay under the 100-group recommendation. For large membership updates, consider adding users in batches over time rather than all at once.

Below are the official sources from Okta and Microsoft that support the information provided in the knowledge base article regarding the Office 365 integration.

Related References

• About Group Push
• Using the Same Group for Application Assignment and Group Push
• App assignments and Group Push
• Troubleshoot group push
• Group linking for Microsoft Office 365
• Can Okta Workflows Be Used to Manage Office 365 Mail-enabled Security Groups and Distribution Groups
• Microsoft Office 365 integration
• Group resource type - Microsoft Graph v1.0 
• Breaking change to Microsoft Graph Users API: Updates to on-premises sync-enabled user contact numbers are no longer allowed
• Known issues with Microsoft Graph 
• Properties of a synchronized group can't be changed