<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AH95h4CQBOkta Classic EngineOkta Integration NetworkAnswered2025-12-13T09:00:50.000Z2024-11-06T10:49:10.000Z2024-11-29T22:44:42.000Z

8gtn3 (8gtn3) asked a question.

November 6, 2024 at 10:49 AM
update Office 365 Single Sign-on Applications with Automatic Configuration to support Microsoft Graph,

In order to update Office 365 Single Sign-on Applications with Automatic Configuration to support Microsoft Graph, a Microsoft Global administrator credential with Multi-Factor Authentication enabled to update the Single Sign-On settings in Okta.

I am planning to use a Microsoft individual global admin account for this task. Once the activity is completed, we will downgrade the privileges of this account or disable it after a few months. We have a limitation on the number of Microsoft global admin accounts we can use, so will this impact the integration in the future? and service account option is not possible

  • 3 answers
  • 348 views

  • Mihai N. (Okta, Inc.)

    Hi @8gtn3 (8gtn3)​ , Thank you for reaching out to the Okta Community! 

     

    The admin permission will have to remain the same. 

    Please check this article on the subject. 

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @8gtn3 (8gtn3)​ , Thank you for reaching out to the Okta Community! 

     

    The admin permission will have to remain the same. 

    Please check this article on the subject. 

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • 8gtn3 (8gtn3)

    Thank you for your response.

    • quick query
    • The O365 Global Admin Account used for Authenticating Provisioning can be placed in the least privileged state as we rely on the Graph API to perform Provisioning actions.
      • NOTE: Please re-authenticate the API. The O365 Account Global Admin permissions must be granted again.

    so we can downgrade the permission once we are done with this activity?

     

    Expand Post

    • Mihai N. (Okta, Inc.)

      Just to clarify, we are talking about two different and independent account uses. While you could use the same admin user account for both, that is not required and the features and processes are separate and independent of each other.

      1. For SSO via WS-Federation, which is independent of the Provisioning settings.
      2. For Provisioning, which is independent of the SSO settings.

      As the article states, if you are using that Global Admin for the WS-FED SSO automatic settings - it will need to stay a Global admin to ensure proper functionality.

       

      Regards.

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post
This question is closed.
Loading
update Office 365 Single Sign-on Applications with Automatic Configuration to support Microsoft Graph,