JamesN.83470 (Customer) asked a question.
Office 365 Provisioning - Converting from on-prem directory sync (AADConnect) to Okta Provisioning
Hi there,
We are utilizing Okta for authentication for Office 365. However, user management occurs via Microsoft's directory sync tool between Active Directory and Azure AD (Azure AD Connect). We would like to get rid of the Azure AD Connect server and utilize Okta instead. It seems that within Okta uses the immutableID to link the user to a 365 account.
Is there any impact or ramification to making this switch, any gotchas? Is it even possible? I can't find specific documentation from Okta, so I wanted to make sure it was even supported before heading down that path.
Thanks!
I don't know of any gotchas we came across when we made the switch but I would make sure the UPN and primary SMTP match, make sure you understand the O365 provisioning types in Okta (user, universal, etc), how are you handling DLs (AADC does a MUCH better job than Okta on this), are you hiding users from the GAL/OAB when they leave (this is not built into Okta so you need to do a custom attrib in the profile editor). This is what comes to mind right now. Let me know if you have more questions...
That is helpful, and we’ve now cutover. However, I’m a little confused – I assumed that I would need to disable directory synchronization for the tenant so that the Office 365 objects wouldn’t consider Active Directory authoritative anymore and allow updates from another source (Okta) but after disabling Directory Sync via powershell, every Okta user has a provisioning error that says the status of directory synchronization is “PendingDisabled” and must be “Activated.” Do I need to re-enable (after the appropriate interval passes) for this to work?
What is the master - Okta, AD or O365? If AD, Did you run an AD Import? If O365, did you enable user sync and provisioning in Okta? I would open a support case with Okta so they can help in RT.
Hey Jeff,
Anymore ideas on this? Okta support hasn't been a ton of help, despite this particular use case (DirSync to to Okta Provisioning conversion) not being documented. I disabled Directory Synchronization via powershell and nothing works. If I enable it, every user throws a 400 error. I'm caught in a crossfire where Microsoft says "Okta problem" and Okta says "Microsoft problem." and nothing works.
The 365 master has always been Active Directory, using Azure AD Connect. Within Okta, our payroll system is the master. The goal is to retire the Azure AD Connect server and utilize Okta for 365 CRUD instead, in line with our other Okta applications.
James - did you ever get this sorted out? I was away for a bit so wanted to make sure...
Can you post a screenshot?