<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AE3NzUCQVOkta Classic EngineIntegrationsAnswered2024-08-12T21:27:44.000Z2024-07-29T05:36:57.000Z2024-08-12T21:27:44.000Z

JasonP.78486 (Customer) asked a question.

July 29, 2024 at 5:36 AM
Okta office365 integration global admin, anyway to do integration with lesser than global admin

I am trying to config o365 so i can import users/groups from azure ad to okta but my main problem is from my understand it require global admin. Why do i need global admin when i am only doing read?

another question is can i select the groups / subgroups to be import instead of entire groups in Azure using schedule import similar to integrate with on premise integration

  • 2 answers
  • 258 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @JasonP.78486 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    These are valid concerns and I can understand the need for a less privileged account type, unfortunately this is the limitation of the current implementation.  

    Some additional details can be found here:

    https://support.okta.com/help/s/article/o365-service-account-permission?language=en_US

     

    https://support.okta.com/help/s/article/What-is-the-requirement-for-the-O365-account-used-for-Provisioning?language=en_US

     

    To answer your second question, there currently is not granularity for the application group imports. The integration is not a Profile Source type one. The way I see it, Okta was meant to manage and push the data downstream to the O365 side. 

     

    You can suggest feature enhancements to the on the Okta Community page by going to the Community Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented. 

    More details here.

     

    I've checked and saw that there was an older request for less privileged account types to be used for the O365 integration , but unfortunately it did not get much traction so it was closed. I still recommend opening a request, perhaps things have changed in the meantime. 

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @JasonP.78486 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    These are valid concerns and I can understand the need for a less privileged account type, unfortunately this is the limitation of the current implementation.  

    Some additional details can be found here:

    https://support.okta.com/help/s/article/o365-service-account-permission?language=en_US

     

    https://support.okta.com/help/s/article/What-is-the-requirement-for-the-O365-account-used-for-Provisioning?language=en_US

     

    To answer your second question, there currently is not granularity for the application group imports. The integration is not a Profile Source type one. The way I see it, Okta was meant to manage and push the data downstream to the O365 side. 

     

    You can suggest feature enhancements to the on the Okta Community page by going to the Community Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented. 

    More details here.

     

    I've checked and saw that there was an older request for less privileged account types to be used for the O365 integration , but unfortunately it did not get much traction so it was closed. I still recommend opening a request, perhaps things have changed in the meantime. 

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • JasonP.78486 (Customer)

    @Mihai Negoita - Okta (Okta, Inc.)​ 

    the first link you provide : https://support.okta.com/help/s/article/o365-service-account-permission?language=en_US say "The O365 Global Admin Account used for Authenticating Provisioning can be placed in the least privileged state as we rely on the Graph API to perform Provisioning actions", what exactly does this mean? I have try use two account one with GA and other with Non-GA (for api) and it doesn't work. Any additional detail?

    Expand Post
This question is closed.
Loading
Okta office365 integration global admin, anyway to do integration with lesser than global admin