n1xfr (n1xfr) asked a question.
Hi all,
We are currently using the Office 365 sync with WS-Federation within Okta. For security reasons we would like to defederate a few users in Okta and allow them to login via Azure AD/Microsoft directly. Microsoft has a page for this which can be found here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-okta-federation-to-azure-active-directory.
However in order to set up a staged rollout we need to enable password hash sync in Azure AD Connect. Azure AD cloud sync shows the current value for Password Hash Sync is: Disabled. Anyone knows how to enable this with the Okta Office 365 application?
We found an option in Okta called: "Sync Password". Will that enable password sync hash? And will it force users to recreate their passwords? From the documentation it seems like that's not the case but I would like to be sure.
Hi, @n1xfr (n1xfr)
Thank you for posting on our Community page!
I have done some research and found this answer that better explains the use case:
In short, defederating certain users is not possible due to O365 limitations.
Hope this helps!
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
_____________________________________________________________________________
That answer is based on information from 2018 and is outdated since. Staged rollouts were introduced in 2019 by Microsoft and they seem to offer defederation of certain users. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout
However Password Hash Sync needs to be enabled in order for this to work. And with the default Okta MS 365 integration it seems to be disabled by default. Is there a way of enabling it without running the Azure AD Connect instance manually?
Hi Martijn,
Is your environment configured with Active Directory, which syncs to AzureAD via AzureAD Connect? Microsoft's documentation suggests that you may need this type of configuration:
The following scenarios are supported for Staged Rollout. The feature works only for:
You can enable Password Hash Sync via AzureAD Connect, then in Azure (reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout#pre-work-for-password-hash-sync)