This article explains why attributes such as mobilePhone, otherMails, or accountEnabled may not sync from Okta to Microsoft Office 365. Even when Okta System Logs indicate a successful provisioning push, and the Microsoft admin audit log records other successful push events for the same user profile, the target attribute is not updated.

When attempting to update the user attributes via the Graph API directly, the following error is displayed:

Insufficient privileges to complete the operation.

• Microsoft Office 365

• Provisioning

This issue may occur due to Microsoft Graph API restrictions regarding sensitive user properties for users with privileged administrator roles.

These restrictions prevent the synchronization if the bypassDirSyncOverridesEnabled setting is set to false (which is the default) in the Microsoft environment (onPremisesDirectorySynchronizationFeature resource type). DirSync is used by Okta in order to push attributes that are sourced from on premise AD environments and commonly synced through Okta first as a single Source of Truth.

As per Microsoft Graph Update User to update sensitive user properties, such as accountEnabled, mobilePhone, and otherMails for users with privileged administrator roles:

• In delegated scenarios, the app must be assigned the Directory.AccessAsUser. All delegated permissions and the calling user must have a higher privileged administrator role, as indicated in Who can perform sensitive actions.
• In app-only scenarios, the application must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions.

Verify that the environment is free of standard configuration issues that could impede successful provisioning:

1. Go to Directory > Profile Editor > Mappings for the attribute, such as mobilePhone is set correctly.
2. The Okta Admin configuring provisioning for the Microsoft Office 365 app in Okta is using an Office 365 Global Admin account.
3. Okta System Logs show the AppUser update and profile push events to Microsoft Office 365 are successful.
4. Other personal user attributes or licenses are successfully updated in Microsoft Office 365, which is reflected in the Microsoft admin audit log.

If all of the above are verified, then proceed with the following steps:

1. Open the MS Graph Explorer for the target Microsoft environment. For more information, please check the Overview of Microsoft Graph article.
2. Run this Get onPremisesDirectorySynchronization request to retrieve the on‑premises synchronization configuration:

   GET https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization/

3. From the output, locate and copy the synchronization ID.
4. Paste that ID into the Update onPremisesDirectorySynchronization request URL, for example:

   PATCH https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization/{synchronization_ID}/

5. Use the following JSON body to enable the bypass feature:
   

   {
       "features":
       {
           "bypassDirSyncOverridesEnabled": true
       }
   }

   
   
   • To verify the configuration, run the GET request again:
     

     GET https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization/{synchronization_ID}/

   • Scroll to the features section in the response and confirm the value updated:
     

     "bypassDirSyncOverridesEnabled": true

6. Once bypassDirSyncOverridesEnabled is set to true, update the AppUser assignment in Okta so that a change is detected in the profile and initiates a profile sync.

NOTE: Force Sync will not apply if there are no changes to the AppUser profile.
See How to Use the Force Sync Option for more details.

If assistance is required with the Microsoft Graph requests, please reach out to Microsoft support for guidance for the Microsoft Office 365 environment.

Related References

• Overview of Microsoft Graph
• How to Use the Force Sync Option
• Get onPremisesDirectorySynchronization
• Update onPremisesDirectorySynchronization