Overview

NOTE: This article only applies to customers who federate Office 365 with Okta using WS-Fed Auto.

Before performing the steps below, check the current federation settings for the target domain using Graph Explorer (federationConfiguration).

Okta strives to deliver the most secure integrations for our customers. To this end, Okta is introducing a stronger and more resilient way to federate Office 365 with Okta by moving to an OAuth-based consent flow leveraging the Microsoft Graph framework and eliminating the need for administrator credentials to set up Single Sign-on for Office 365 with Okta. This change aligns with Microsoft’s plans to enforce MFA for administrators and deprecate Azure AD Graph and MSOnline PowerShell cmdlets.  

Important Dates 

• By December 31, 2024, to be proactive and secure our customers, Okta requires all customers to consent and leverage the upgraded integrations. The SSO integration for Office 365 with Okta might be affected if no action is taken.

• Microsoft will require Multi-Factor Authentication for any administrators signing into the Azure Ecosystem. This change will happen in two phases:

  • Phase 1: Starting Oct 15, enforcement for MFA at sign-in for the Azure portal only will roll out gradually to all tenants. This phase will not impact other Azure clients, such as Azure CLI, Azure PowerShell, and IaC tools. There is no impact on the SSO integration on this date anticipated.

  • Phase 2: Starting mid-2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell, and Infrastructure as Code (IaC) tools will gradually roll out to all tenants. There is no definitive date from Microsoft at this point for this phase. 

• By March 30, 2025, Microsoft will end support for deprecated MS OnlinePowerShell cmdlets, which might impact the Single Sign-on integrations. 

To take advantage of this upgraded integration, customers who use Single Sign On for Office 365, using the WS-Fed Auto method, will need to follow the required actions detailed below to migrate their Office 365 App in Okta.

Prerequisites

• An Office 365 application that uses Automatic configuration for Single Sign-On. 
• An App Administrator role in Okta to migrate the Office 365 Single Sign-on applications. 
• A Microsoft Global administrator credential to update the Single Sign-On settings in Okta.
• Office 365 Multiple Domain Federation is turned on. To verify, there should be a “Fetch and Select” option for domain federation by going to the Office 365 app > Sign on tab > Edit > Fetch and Select.
• If the "Fetch and Select" option is not available, please contact Okta Support to enable the Multi-Domain feature flag in the tenant.

Solution

Update Office 365 applications to support the Microsoft Graph by following the steps below: 

1. In the Admin Console, go to Applications > Applications.

2. Select the Office 365 application, which is configured using the Automatic option. 

3. Click the Sign On tab and click on Edit.

4. Click on the Authenticate with Microsoft Office button and provide consent. 

   • NOTE: This is not the button associated with Advanced API Access, but rather a new button that will be available September 19, 2024 (see screenshot below).

5. Scroll down to the bottom and click Save.   

Contact Okta Support

For any issues related to migration, contact Okta Support.

Related References

• Update Office 365 Applications with Provisioning to Support Microsoft Graph
• Frequently Asked Questions about Mandatory MFA Requirements for Microsoft Applications
• Validate That the Configuration to Support Microsoft Graph Is Enabled Successfully