k24fy (k24fy) asked a question.
Hi Folks,
ill try to explain my situation as best as possible.
We have federated our domain with OKTA and set up the automated Federation - which worked perfectly. We have an OnPrem AD server, synced to OKTA to bring in the users, with AD Connect syncing users up into Office 365.
When a user attempts to access O365 - they are redirected to OKTA as expected, they log in with their AD Account and hey presto! they get into 365.
The problem arises when a web server needs to send email as a user, and the scanners need to relay email for scan to email.
I have the addresses that are being used, in AD, Office 365 and in OKTA and I even have a rule in OKTA for them to bypass MFA. When I log into Office 365 i get in fine, without being challenged for MFA. The problem is that when the smtp on the scanner attempts to use the credentials of the office 365 account, it fails to make the connection while the domain is federated. Its like the smtp client on the scanner isnt clever enough to understand whats happening when the O365 login passes through to OKTA. Everything works perfectly as soon as I remove Federation from the domain and put things back to normal, but then they are not secured for MFA with OKTA.
Has anyone come up against this before? Has anyone a solution to allowing the scanners / web servers to send email through a federated domain ?
Any help appreciated.
The most common workaround for this would be creating a Service Account on the Microsoft Office365 side with the .onmicrosoft domain name. In this way, you make sure that the .onmicrosoft account will not go through Okta since the .onmicrosoft domain cannot be federated and this account will be using Legacy Authentication protocol without any issues.