Hello @z4uqz (z4uqz)​ Thank you for reacting out to our Community!

Unfortunately this is correct, the Manager attribute can not be synced from Okta without AD.

The Office 365 "Manager" attribute is a directoryObject attribute, which can only be updated by another directoryObject type of attribute. Okta attributes are not directoryObject types. Office 365 is limited to read Manager as an AD object and Okta only facilitates the exchange from AD to O365.

The requirements are that there is an AD integration with Okta, and there is a value populated in the user's AD profile's Manager attribute, as this is the only solution available at this time due to O365 limitation.

The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

Community members help others by clicking Upvote or Select as Best on responses. Try it today.

Hello @z4uqz (z4uqz)​,

The correct way to do this is via Microsoft Graph API call. You can leverage Okta Workflows to accomplish this. We have a Workflow that pushes out the Manager attribute (e-mail address) each time the relative field in a user's Okta profile is updated (user.account.update_profile).

In Okta Workflows, you'll need to setup 2 Okta Workflow Connections using an "Okta Connection" and "Office 365 Admin Connection", and it would be smart to use Super/Global Admin Service Accounts in Okta and Office 365 that are never disabled because once either account is disabled or lose admin privileges, it will break the flow.

There may be a template in Okta Workflows but I used the guide available at https://www.cloudworks.no/en/articles/set-manager-in-office-365-using-okta-workflows with some modifications for our environment (we've never had a traditional on-prem Active Directory and have always been cloud-based, with Okta Universal Directory as our source of truth and Office 365 Profile Sync for our Office 365 Provisioning Type), as well as some further checks and error reporting. I've attached my flow chart for reference.

-Jermaine Edwards-Nurse

Hi, jumping on this thread as we face the same issue. I tried the Graph API but was trown the following error when using it : "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration."

We use the "universal Sync" for our Okta and O365 integration. My understanding is that we cannot update O365 accounts via Graph API since we use this option (Universal Sync). Is it correct?

Hi,

I have the exact same question as @amines.16456 (Customer)​ has, I tried it with the cloudworks solution by Graph API and get the same error Message: "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration."

We also use WS-Federation for M365 (universal sync).

Someone who can help us here?

Hi everyone, Just a quick note since my article is mentioned. 🙂

If you're in UniversalSync, then I'm afraid it still seems to be a hard limitation on this.

However, with the updated integration to GraphAPI, it is possible now to move back to ProfileSync and once there go to the add more attributes to the app user profile and the mapping table. So there is not necessarily a need to keep UserSync or UniversalSync.*

https://help.okta.com/oie/en-us/content/topics/apps/office365/references/provisioning-types.htm

*I should add that as long as the documentation above does not explicitly include these attributes Okta might not support them in case there are any problems, but we have a few customers that are using this way of working and it plays out nicely. I recommend spinning up a separate Office 365 Development tenant and try it out.