EdS.87983 (Customer) asked a question.
Hi everyone,
In a sandbox environment I've just set up WS-Federation between Okta and M365, prior to rolling it out for the whole company. The process was relatively painless however when trying to sign in as a test user I received error AADSTS51004 - this was rectified by setting the user's ImmutableID in AzureAD to the same as the immutableID recorded against the account profile in Okta.
In both live and test environments we are fully AAD, no hybrid on-prem AD.
Planning ahead, I then checked my live environment and I note that the immutableID in Okta does not correspond to the immutableID in AAD. This suggests I can expect the same problems with a live rollout as I've had with my test accounts.
What should I have configured to keep those IDs in sync, and is there a way to use Okta to overwrite them prior to switching to WS-federation?
Thanks,
Hi Ed,
Have you thought about running an import of those Users from M365 to OKTA?
I suggest you to try out first on your test environment to understand the impacts.
If I'm not mistaken, in case you don't have 100% of users match during this import M365-->OKTA, the non-matching user objects will be set "soft-deleted" on M365 side.
Best Regards,
Mauricio Borelli
Hi Ed,
We have the same setup and I'm having the same AADST results (we have never had an on-prem AD). Wondering if you would mind sharing how you overcame this problem. Been back and forth with okta support for over a month without resolution.
Thanks,
Bryan