<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000A9mttgCQAOkta Classic EngineLifecycle ManagementAnswered2026-03-16T09:00:23.000Z2024-06-25T21:47:15.000Z2024-09-16T19:05:29.000Z

7jv04 (7jv04) asked a question.

June 25, 2024 at 9:47 PM
Mapping from Okta to Entra (aka Azure AD ) user profile "Manager" attribute

Happy Tuesday all! I'm having a bit of trouble figuring out what to map to the 365/AzureAD/Entra attribute "Manager" from Okta. In my Preview envrionment Okta is source that pushes profiles to on prem and Azure AD. Presently the Manager attribute is blank when profiles are pushed from Okta. I've tried passing the managerUPN, managerDN, ObjectGUID, with and without @domain.com, etc. The more I research, the more I'm uncertain of what is needed to populate that field in Azure AD. I'm also not sure exactly what's need to populate the Employee ID field... in fact I don't see anything in Profile Editor for 365 that looks like an "employee id" field I can map to at all.

  • 5 answers
  • 1.73K views

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @7jv04 (7jv04)​ Thank you for posting on our Community page!

     

    I would assume that you are using the Office 365 application to provision users and to map the attributes from Okta to Entra. If this is so, then using the Office application can push certain attributes but it depends on the type of Provisioning you have chosen. I have attached below a few docs from our side on how to map attributes and what attributes are accepted based on the type of provisioning used.

    https://help.okta.com/en-us/content/topics/apps/office365-deployment/provision-users.htm#2.

    https://help.okta.com/en-us/content/topics/apps/office365/references/o365_supported_user_attributes.htm

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Ask Us Anything thru 7/14: Okta WIC leadership want to hear from you 

    Expand Post
    Selected as Best

  • 7jv04 (7jv04)

    Much appreciated for the reply Paul! I do have these support documents saved to my favorites folder. Provisioning type is Univeral Sync and group assignment to the Office 365 app. Okta provisions to a AD on-prem intergration and to Entra using the Office 365 app integration. I'm using this expression to transform the output in the mapping:

     

    String.substringBefore(String.substringAfter((hasDirectoryUser()?findDirectoryUser().managerDn:null),"CN="), ",")

    -Mapped to the O365 "Manager" attribute from Okta to App in the Office 365 Profile Editor.

    -The result is the user's manager's "Firstname Lastname" and it looks good when previewing a user.

     

    I know the Manager attribute field in Entra requires a directoryObject, so is this not the format expected? I've tried passing the data in DN format, with and without @domain.com. The mystery here is what requirement does that field in Entra have that is not being met? I'll keep going over documentation, but I feel like were ticking all the right boxes. All other data needed is populating just fine.

    Image is not available
    Image is not available

    Expand Post

      • 7jv04 (7jv04)

        Got it working!

        So for the record, the correct expression is hasDirectoryUser()?findDirectoryUser().managerDn:null

         

        I use workflows to construct the values that don't come from the HR source into Okta. Manager and ManagerDn being two of them. This seems to be working around the documented requirement that says on-prem AD needs to be the profile master.

         

        I'm still trying to fully understand why it works the way I have it, but here are some key take aways:

         

        -You must have an on-prem AD integration

        -The manager field in Okta must be populated in on-prem AD.

        -AD does NOT have to master the profile nor the attribute IF you are constructing the manager attribute using a workflow and set to Manager attribute in O365 app to inherit from Okta. The value must pass as a directoryObject, not a String. or Azure AD/Entra won't take it. Having the workflow pass the Manager value into Okta and from there into 0365 apparently accomplishes passing the value as a directoryObject.

         

        Thanks for all your efforts Paul! I hope this example will help improve Okta documentation 🙂

         

         

         

         

         

        Expand Post

  • 7jv04 (7jv04)

    Hi All! A couple of follow up notes.

     

    Key things to check for if you're using Universal Sync and Okta as the source and trying to populate the "manager" field attribute in Entra ID:

     

    -Use the managerDN to map from on-prem AD to Okta (appuser.manageDN to managerDN)

    -From Okta to on-prem AD map (user.managerUpn to managerUpn)

    -Check your Group Rules. View them and check for any users that have been added to the "Except the following users" section of the rule. If you've been adding and removing users into groups during testing, they may have been automatically added to the "Except the following users" section in rules which can cause that manager field to not sync in Entra ID from the Office 365 app.

     

    Expand Post
This question is closed.
Loading
Mapping from Okta to Entra (aka Azure AD ) user profile "Manager" attribute