Hi there,

We recently got this email about changes to our Okta account. Could I get more context on what to expect with these changes?

Product and Service Reminder This notice is a final reminder that your Okta service will be impacted by an event scheduled to occur on March 30, 2025 but we recommend you take action by December 31, 2024. Okta released an original notification to impacted customers on September 16, 2024. Notification Overview Summary: Okta is upgrading the Office 365 Single Sign-on (WS-Fed Auto) and Provisioning integration by removing the need for an Azure administrator account and moving to a more secure and resilient OAuth-based consent authentication flow leveraging the Microsoft Graph framework. This change aligns with Microsoft’s plans to enforce MFA for administrators and deprecate Azure AD Graph and MSOnline PowerShell cmdlets. To avoid any impact, customers must migrate their Office 365 applications in Okta to leverage this new integration by December 31, 2024 . Audience: Customers who federate Office 365 with Okta using the WSFed Automatic configuration or have enabled Provisioning in the Office 365 application. Customers who federate Office 365 with Okta using Manual with PowerShell configuration, please find the guidelines here. Important Dates to Note: By December 31, 2024: To be proactive and secure our customers, Okta requires all customers to consent and leverage the upgraded integrations. If no action is taken, your SSO and Provisioning integration for Office 365 with Okta might be affected. Microsoft will require Multi-Factor Authentication for any administrators signing into the Azure Ecosystem. This change will happen in two phases: Phase 1: Starting Oct 15, enforcement for MFA at sign-in for Azure portal only will roll out gradually to all tenants. Microsoft has clearly stated this phase will not impact other Azure clients, such as Azure CLI, Azure PowerShell, and IaC tools. We do not anticipate any impact on your SSO and Provisioning integration on this date. Phase 2: Starting in early 2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell, and Infrastructure as Code (IaC) tools will gradually roll out to all tenants. Microsoft has no definitive date for this phase at this point. By March 30, 2025: Microsoft will end support for deprecated MS OnlinePowerShell cmdlets, which might impact your integrations with Okta. Product and Service Notification Okta is upgrading the Office 365 Single Sign-on (WS-Fed Auto) and Provisioning integration by moving to a more secure and resilient OAuth-based consent authentication flow leveraging the Microsoft Graph framework. To take advantage of this updated integration, Customers must follow the required actions detailed below to migrate their Office 365 applications that have been enabled Single Sign-On (WSFed Auto) or Provisioning. Important Note: For Microsoft's Phase 1, we don’t anticipate any impact on Single Sign-On (WSFed Auto) or Provisioning for Office 365 applications on October 15, 2024. However, if your current integration with Okta uses an Azure admin account that requires login into the Azure Portal, we strongly urge customers to leverage the updated Single Sign-On (WSFed Auto) or Provisioning Office 365 integrations before October 15. For more general info on what change is happening, please refer to this FAQ. Dates & Impacts Customers can migrate their Office 365 applications to a modern and secure OAuth-based consent flow leveraging the MS Graph framework as of the following dates. September 19, 2024, if the application is configured for Single Sign-on (WSFed Auto) September 24, 2024, if the application is configured for Provisioning To follow best security practices, Okta strongly recommends leveraging the updated integrations with the Microsoft Graph Framework and removing the need for the Azure administrator account from Single Sign-on and Provisioning by December 31, 2024. Recommended Actions For Single Sign-on, Administrators need to migrate to MS Graph before updating the domain federation settings in Okta. This needs to be done for each application that uses WSFed Auto. Refer to this KB article on how to enable this update. For Provisioning, Customers should enable consent-based authentication, eliminating the need for the Azure administrator account. This should be done for all Office 365 applications that have provisioning enabled. Refer to this KB article on how to enable this update.