<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00009QXnL7SALOkta Classic EngineIntegrationsAnswered2024-04-22T13:28:20.000Z2020-09-09T23:07:04.000Z2020-09-10T19:00:52.000Z

emomo (emomo) asked a question.

September 9, 2020 at 11:07 PM
Migrating users from one AD domain to another in the same forest and on OKTA
  • I have users in Domain.OLD and they are provisioned in OKTA. AD is my source of truth.
  • I have an O365 tenant where my Domain.OLD users are connected via AADCONNECT. That means the immutable IDs match in O365 with my users in Domain.OLD.
  • I have O365 App in OKTA using SWA

 

  • I also have the same users in Domain.New and they are provisioned in OKTA. AD is my source of truth.
  • Domain.OLD is the *1 Master profile and Domain.New is the *2 Master profile.

 

Domain.Old must go away so I am doing an AD migration, using the ADMT tool, of users and computers from Domain.Old to Domain.New. This is working fine in AD.

 

Here is my problem.

 

I want to federate O365 with Domain.New. The External IDs(ObjectGUID) for the users in Domain.New in OKTA do not match the immutable IDs in O365.

 

I have two questions.

 

  • How do I connect my Domain.New users in OKTA to the existing O365 accounts that were connected to Domain.Old?
  • We are migrating from Domain.Old to Domain.New one user at a time because of profiles in the workstations. Is it possible to migrate one user from Domain.Old in OKTA to Domain.New using federated O365. Mind you not all of the users in Domain.Old have migrated so they will need to access O365 while the Domain.New users also access it using Federation. Is this at all possible?

 

Image is not available

 

 

Image is not available

 

Thanks all for the answers.

  • 1 answer
  • 1.41K views

  • Anderson (Customer)

    It looks like you are getting rid of AADC and possibly provisioning accounts with Okta

     

    Assuming that your new domain matched the Okta account that was provisioned by the old domain. 

    - you can map the immutable ID (ObjectGUID) from OLD to a custom attribute in Okta

    - Create a new O365 app that is SSO enabled, and map the custom attribute to the ImmutableID in the O365 app (Okta to O365)

    - you will need to adjust the mapping an update it accordingly when you switch over to the new domain (areas you may need to look into: Okta provisioning to O365, conditional statements for users with an existing ImmutableID based on AD vs ImmutableID based on the Okta id, and possibly attribute level mastering)

     

    If you plan on using AADC in the new domain

    - Export the ObjectGUID from your old domain and copy the value to the mS_DS_ConsistencyGuid in the new domain

    - you can configure AADC in the new domain to use mS_DS_ConsistencyGuid. you will need to configure the rules to use mS_DS_ConsistencyGuid. New users will not have a value for the mS_DS_ConsistencyGuid initially, so you will configure AADC to update mS_DS_ConsistencyGuid with the current ObjectGUID

    - Create a new profile in Okta to hold the Immutable ID

    - Update the mapping for O365 with the attribute that holds the ImmutableID

    Expand Post
This question is closed.
Loading
Migrating users from one AD domain to another in the same forest and on OKTA