04wkw (04wkw) asked a question.
I work for a company who has recently migrated email from on-premise to Microsoft azure / 365
During lockdown, we had allowed our users in on-premise active directory not to have to change their passwords, however now that lockdown is a distant memory a 90 day reset is required.
However here lies the problem...
we just have the standard 365 service which doesn't allow self service passwords via the website
We also have users who are..
Still working remotely
Have several devices, including laptops, iPhones and iPads
Long story short, we are looking for a single sign-on solution for users working remotely which can handle password updates when required and sync with on-prem active directory, which after a meeting with a sales rep, OKTAs services fits the bill
However, I have questions as the trial is somewhat lacking in our desired outcome
1) With a fully integrated SSO and active directory sync service, how will users on an iPhone for example be effected. Ie what are the prerequisites for existing iPhone users, who use the built in iOS Mail app to authenticate with their 365 account?
Will they continue to use the built in iPhone mail app?
Will they need to download Outlook?
Will they need to access an Okta url to initially sign in before authentication allows emails to start flowing?
What happens when a password change is required for iPhone users? Will they be prompted to change password?
2) For laptop users, the main apps in use are Outlook, Teams
How will okta effect them?
For example when the 90 day password change is instigated, how will they update their password when using Outlook for windows?
When their password is changed, how does that sync their local windows account?
Laptop users also need to conenct to a vpn, which users the standard built in windows service to connect.
When a password change is required how will the OKTA service allow them to connect to the VPN with their changed password?
(meraki service authenticated by active directory account)
(Currently when a users AD password is changed, users have to launch the RASPHONE dialler which allows them to re-enter their changed vpn password
Hi @04wkw (04wkw),
Thank you for posting on the Okta community page!
Regarding your first inquiry, I assume that users should be able to use the iPhone mail app because Okta will only handle the authentication at this part, therefore the users might be re-directed to authenticate with Okta when accessing their in-built app. My recommendation would be to check this information on the office side as well, to be certain if the users will have to use the Outlook app or if they can continue to use their in-built iPhone mail app. Additionally, once you have configured Office with Okta (WS-FED) the users might need to authenticate to Office in order to make sure that no sync issues appear in regards to their email but as mentioned above, once the configuration is completed, users will be re-directed to Okta for login once they try to authenticate to your Office365 domain.
About the password change, you can configure Sign On policies in Okta to prompt users X days prior their password expires and if the password needs to be changed(expired/password reset), once the users successfully authenticate to Okta they will be prompted with a change password page.
For the second inquiry, users that use Office app clients, will be re-directed to Okta for login when they try to authenticate to their app client, therefore it will be the same process for changing the Okta password. (Users will be re-directed to Okta if you are using WS-FED as an SSO method)
In order for the VPN to allow the users to authenticate, you will have to make sure that the password is updated for users in your On-Prem AD after the change of password in Okta. One flow would be for the password to be updated from Okta to Office and from Office to your On-Prem Active Directory.
Additionally, I have done some research and I have managed to find the bellow documentation that contains information about Password synchronisation that might be helpful for your use case:
I hope the above information is helpful!
On another note, the Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.