sf2xv (sf2xv) asked a question.
Azure AD Direct Integration
Is there currently a way to directly connect Okta directory to our Azure AD implementation without having to spin up a separate VM that simply provides the AD Connector? We only have Azure AD, and are managing windows 10 clients that directly connect to Azure AD without the need for an on-prem AD server. We were hoping to directly connect our Azure AD with Okta without the extra server, but I haven't found any documentation anywhere that would allow that. Does anyone have any ideas?
Hi Mike, I believe what you are asking is the same/similar to what we are looking for as well. *We have On-Prem AD, and have the Azure AD Connect (just a shrink wrapped version of MIIS>ADFS) server already working. But the part we are stuck on is that OKTA must support "MEX" endpoint settings which are arcane to Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup (https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup)). This is basically the same point you are looking for; "How To" join (windows 10) devices via Azure AD though you are not using ADFS; you like us are using OKTA.
The note from OKTA Support is as follows:
"the integration that is in discussion cannot be implemented for the moment as Okta's /MEX endpoint does not hold the WS-Trust info needed for domain join devices. But we do have an open feature request, which is being tracked on REQ-12896. Although I do not have an ETA, I have added your company to the list of interested customers."
So, if this is the same/similar as I believe, please do log a new OKTA Support Case, link this forum topic, and info above, so they can add your "Org's" name to the REQ-12896. This will help us all.
We need this ASAP.
Hi, just wondering if you mean to use Azure AD as a master (Azure AD -> Okta) or Okta as master (Okta -> Azure AD)? In either case you can integrate Azure AD with Okta, Okta refer to this app as 'Office 365' as opposed to something more suitable like 'Microsoft Azure AD' or Microsoft Cloud/365 etc. If you connect the Office 365 app you can use it to license a number of services - the integration should pull in the licenses defined for your tenant.
When configuring the API integration it will read all the licenses and service plans assigned to your tenant and allow you to assign those as part of provisioning. Using User profile sync it will allow for most attributes I believe.
If you are talking about hybrid Azure AD for device registration s per https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual-steps, then that would be different. Would be good to know if Okta have this available.
Having the ability to establish Hybrid AD Join is crucial in order for conditional access policies to respect Access Control settings on domain joined machines. Microsoft says that we should follow the instructions of the vendor (Okta) to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). We've had this need for over a year now. When can we expect an update?