ocil7 (ocil7) asked a question.
I'm not an Okta admin to be clear, but I am dealing with the Entra side of this problem, and I have no clue if Okta is properly configured in my environment to be clear.
We have a problem where users get flagged with user risk in Entra. Traditionally, I'd use a conditional access policy to force MFA which would clear the risk status in Entra and dismiss the risk. However, because Okta handles identity (and it's a separate UPN on the Okta side so users effectively have 2 accounts (one for Okta and one for Entra) as apart of their "single sign on solution"), lazy admins toss the users into a group that forces MFA every time. There's no process wrapped around it. Users get broken as their risk status prevents access to something hence the problem.
I'm curious how this is supposed to be handled. I had asked that Okta (which is a GA in Entra whether it's supposed to be or not) grab the user risk attribute periodically from their entra account, put the users into an MFA group automatically, and then reach back into Entra to dismiss the risk after a successful auth as well as automatically taking them out of the risky group. That seems like the logical way to handle that, but my Okta counterparts don't seem to think this is possible.
That said, this really doesn't seem normal or correct in the way things should be configured. I'm working with the Okta team to come up with the right solution here, but I need to understand exactly how this is supposed to work as well as possible solutions to this. Entra dynamic groups don't populate off of risk status, which is what they're asking for. I know the information is in Graph, and from the looks of it, someone connected Okta to Azure as one of Okta's GA accounts is a registered service principal.
Any thoughts?
Hello @ocil7 (ocil7) Thank you for posting on our Community page!
From an Okta perspective, I do not think there is an option to take the user's Risk status and automatically place them in a group. However maybe you could use Group Push, and once a user is added to the Microsoft application in Okta to also add them to the Group push which will place the users in a group in Azure, that will clear the risk status.
You could also open a case with Support to further explore options and see if there are any additional options to resolve this.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Just making sure I understand this... Group push can force an auth check and then clear the status when a user authenticates? Or does it just clear the status? I can clear them via PowerShell, but I'd like to automate this when Azure flags them as risky.
Hi @ocil7 (ocil7) No group push just pushed the group membership for a user. I was under the impression that if a user is part of a group then that will help.
If a forced authentication is needed to clear the status, then from Okta there is not much we can do as we can not force authentication.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.