Okta fails to automatically push a user profile to Microsoft Office 365 because a Conditional Access policy requires multifactor authentication (MFA) for the Okta service account. The solution involves excluding the service account from the policy and re-authenticating the API integration.
Okta generates the following error when the automatic profile push fails:
Could not push profile for Office 365 user <user>, received error: com.saasure.application.microsoft.exceptions.Office365ProvisioningException: 400 AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access 'xxxxx'.
The Azure Active Directory (AAD) Sign-In Logs for the user svc_OKTA_sync_{appInstanceId} display error code 50079.
- Microsoft Office 365
- Provisioning
- Okta Identity Engine (OIE)
- Okta Classic Engine
A Conditional Access policy in the Microsoft tenant requires MFA for the Okta service account (svc_OKTA_sync_{appInstanceId}). This requirement prevents the service account from successfully authenticating and pushing profile updates to Microsoft Office 365.
How is the Microsoft Office 365 profile push error resolved?
Exclude the Okta service account from the Microsoft tenant Conditional Access policy and re-authenticate the API integration to restore provisioning functionality.
- Exclude the user starting with
svc_OKTA_sync_{appInstanceId}from the Conditional Access policy of the Microsoft tenant. - Re-authenticate the API integration in Microsoft Office 365 by navigating to Provisioning > Integration.
