KarenH.16388 (The Aspen Institute) asked a question.
Trying to build my change management plan to implement Okta to provision Office 365 accounts instead of Azure AD Connect. Before we disconnect from Azure AD Connect and Exchange hybrid mode, my plan is to FIRST disconnect from Azure AD Connect Agent and enable Okta O365 universal sync to provision the licensing / roles / universal directory sync BEFORE disconnecting from hybrid mode.
Current status with Office 365:
- All user, shared, disabled, and resource calendars accounts have been migrated to Office 365, BUT there are still ties / pointers between Exchange on-prem, AD, and O365/Exchange online.
- All distribution lists have been migrated to O365 / no pointers in AD.
- We are still in hybrid mode.
- We are still using Azure AD Connect Agent between on-prem and O365 to synchronize AD directories including security groups, users, shared mailboxes (disabled in AD), litigation holds of people who have left (disabled in AD), etc.
- We have implemented Okta's Office 365 app via WS-Fed.
- All new user accounts are created in AD directly, and we include primary and alias proxy addresses.
- All new groups and shared accounts are created directly in O365.
Question:
- Status re: shared accounts / departed user accounts: Azure AD Connect Agent is syncing accounts that Okta does not sync if disabled.
- Q: Since Okta does does not sync locked accounts and our plan is to disconnect Azure AD Connect Agent, what happens to the locked accounts tied to the Azure AD connect agent, Exchange on-prem, O365/Exchange on-prem, and Okta?
I would like to speak directly to an Okta Community member as I'm not getting a clear picture on next steps based on Okta's documentation, multiple discussions with Okta, etc.
Please contact me directly:
Email: Karen.Huffman@aspeninstitute.org
Cell: 301-539-9217
Thank you, Karen
Karen,
We run many tenants using Okta and Okta provisioning with Office 365. If you want to speak, let me know and I can send you a zoom to go over what works well, what doesn't work well and where to watch for land mines.
Jeff
That would be great, Jeff. I'm available after 12:30pm ET today ... send to karen.huffman@aspeninstitute.org. Thank you!
I wanted to provide an update on our configuration. We enabled our Okta O365 app with WS-Fed but currently using license/role management only since we determined Okta wasn't able to handle existing AD locked shared mailboxes and didn't see a way to disconnect them from AD without deleting them from Exchange online.
We migrated all our users, distribution groups, and shared mailboxes to Exchange online and plan to decommission the on-prem Exchange servers. We didn’t see an ability to manage the existing AD locked shared mailboxes without AAD Connect agent. We completed steps 1 - 6 under to uninstall the Exchange hybrid connection: See "Common scenarios > Scenario one > To disable directory synchronization and uninstall Exchange hybrid" https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange#common-scenarios, but we are still using AAD Connect agent since we have a large number of shared mailboxes.