Many organizations that purchase the Okta service have an existing deployment of Microsoft’s Entra ID platform that they wish to migrate from. Since this environment is highly visible throughout the organization, the migration must be carefully planned and executed to ensure a smooth transition. There are many tools available to make this process as seamless as possible, and today I want to focus on one of those - Deep Links!

How Deep Links Work

Entra ID is what Okta field personnel refer to as a “big bang” application- meaning it’s not possible to migrate the Entra ID service itself to Okta in a phased approach. Furthermore, depending on the number of applications that must be changed from Entra ID to Okta, there can be a transition period where some applications are using Okta for authentication, and some are using Entra ID. 

The way a migration is typically done is with the following “day 1” deployment architecture:

On day 1, Entra ID is reconfigured, at the domain level, to trust Okta for its authentication (instead of its own login page). With this setup, users may still access applications as they are used to, but instead of ever seeing the Microsoft login page, they’ll instead be taken to Okta to login.

Bookmarks- Make it seamless!

So how do users know what to do? Has an application been migrated yet? Won’t it be a disjointed experience??

The Okta dashboard with deep links will provide a single place for end users to go- they’ll have no idea (nor will they care) about whether an application has been migrated to Okta or not.

For the applications still on Entra ID, the login process will first SSO the user into Entra ID, and then silently SSO the user into the end application.  The user sees an extra screen redirect, but no action is required on their part.

How to add a bookmark application to the Okta dashboard

In the Okta integration network, search for “Bookmark App” as shown:

When you configure the bookmark app in Okta, you simply need to provide a URL.  Note that this type of application is for convenience purposes only- users may still bypass a bookmark app and visit the URL directly. MFA policies must not be applied to a bookmark application.  The MFA policy for the Entra ID application in Okta will still apply.

The format of the URL is:

https://myapps.microsoft.com/signin/<AppName>/<AppID>?tenantId=<TenantID>&domain_hint=<EntraID Domain Name>

AppName: The name of the application in Entra ID.

AppID: The “Application ID” of the application in Entra ID.

TenantID: The ID of your EntraID tenant (as shown below).

EntraID Domain Name: This is your domain/email suffix.  For example, if you login to Entra using jane.doe@atko.biz, this value will be “atko.biz”.

Finally, even though a bookmark app is for convenience purposes, it can still be “assigned” to users and groups within Okta, which will show/hide it from the Okta dashboard.

When a given application is migrated from Entra ID to Okta, you can simply remove the bookmark app, and assign the new migrated application.

Conclusion

Migrating from Entra ID to Okta doesn’t have to be disruptive. Using bookmark apps and deep links, you can give users a smooth, unified experience even if some apps are still on Entra. It’s a simple way to make day one feel like everything’s already in Okta.

Hope you found this helpful! If you’ve tried this approach or have questions, feel free to drop a comment. I’d love to hear how others are handling this transition.