5a565 (5a565) asked a question.
O365 WS-Federation Global Administrator
We have O365 configured with Okta WS-Federation (Automatic), there are no issues and everything is working as expected.
I understand that the O365 Global Admin account is required during the initial configuration of the tenant, but once the configuration is completed does that account require the Global Admin role? We configure accounts into O365 via Azure AD Sync. The Global Admin account that was used to configure O365 does not show any recent logins to the tenant.
We would like to remove the Global Admin role from the account and block sign-in if it is only required during normal run-time of the Okta/O365 connection
Hello @5a565 (5a565),
Thanks for posting.
Microsoft requires you as an admin to provide consent to allow Okta to access users and data in your Microsoft tenant. By granting consent, you allow Okta to access the Microsoft Graph API on your behalf and use the information provided by Microsoft Office 365.
Please check the following links with information:
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator--company-administrator
https://support.okta.com/help/s/article/What-is-the-corresponding-role-in-Okta-for-the-Global-Administrator-Role-for-Office-365?language=en_US
https://help.okta.com/en/prod/Content/Topics/Apps/Apps_O365_Admin_Consent.htm
Regards,
Natalia
Okta Inc.
I understand that and I have read the documents, but once the Okta WS-Federation setup has been completed what is the admin account used for?
WS-Federation doesn't require that Okta has a sign-in for the O365 tenant in order for a user to authenticate to O365. The Global Admin account that was created for Okta shows no sign-in attempts for the last 30 days, so my question remains the same:
What is the Global Admin account used for once the configuration is completed?
Having an O365 Global Admin account sat in O365 with no MFA or any other access controls is incredibly risky and bordering on negligent. If the account has no purpose once the configuration is complete, then the sign-in should be blocked and the admin role removed.
What is the work around to protect my 365 environment? I may not use OKTA at all for 365 authentication if this is the case!
In case anyone is interested, the Okta service account is safe to remove from the tenant IF you are not using it for provisioning from Okta (if you are using AAD Sync for instance).
If you are using Okta O365 provisioning, then I don't know what the answer is.