CommunityI.88681 (Customer) asked a question.
Our staff is using Okta for SSO to sign into lots of applications including Microsoft 365. A few months ago, one of our staff [REDACTED by moderator] logged into Okta and all applications worked except for Microsoft 365. This staff person works from home almost exclusively.
We found out that the ImmutableID did not match between the on-prem AD and Microsoft 365 Entra directory. We further found that we could fix this by setting the ImmutableID in Microsoft 365 to match the on-prem AD.
This worked for a couple of months until she came into the office. On that day, the ImmutableID changed in Microsoft 365 again, reverting to the incorrect ImmutableID we saw last time. She wasn't able to open Microsoft 365 apps. We changed it again and she was OK again. We're not sure why coming into the office triggered this.
Today she changed her password in Active Directory and for some reason this triggered the Entra ImmutableID again to change. She was able to sign into Okta but got the same error from Microsoft 365 indicating that it couldn't find the user account. We made the change to the Entra user object and again it's fixed.
We're not sure what's triggering this. Is there anything in Okta that would do this periodically? Again, this is only happening for one person. We found the below article that mentions ImmutableID. We don't want to make the change listed here because it seems to affect everyone, not just one user. Is there something that would only affect one account?
Handling Immutable ID Issues in Okta for Microsoft 365 Assignments
If possible, a phone call would be appreciated rather than just a reply here. Thanks.
[REDACTED by moderator. ]
Hi @CommunityI.88681 (Customer) , Thank you for reaching out to the Okta Community!
If you have a paid production account with us, please leverage it to open a case (SuperAdmin/Case admin permission required) via the support.okta.com site or call the support line (800) 219-0964 (Customer Support Account ID number required) so our colleagues can investigate and assist.
If for whatever reason those options are not available for you, please contact your Okta Account Executive or Customer Success Manager, and they will be able to engage the Support team on your behalf.
The Support Team will be able to access additional tools and resources to help you get to the bottom of it.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
@CommunityI.88681 (Customer) Quick follow-up on this. I've looked into similar issues being reported and one seemed to match your description. I'll provide the steps below, but I would still strongly recommend discussing the issue with the Support Team so they can review your configuration before deciding the next actions.
Approach that helped address the issue:
1. Disable the universal sync from Okta to O365
2. Disable the Azure Entra ID sync (turning off dirSync) to force all accounts to return to cloud only
3. Edit the immutable ID’s in Azure, since it will no longer be on-prem synced through Okta
4. Then turn the Entra ID Sync back on so all accounts link up correctly.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Thanks for the suggestion. The Okta and Entra are the same and are different from the on-prem ID. It's not changeable on-prem (it's called ImmutableID, after all) but is changeable in Entra. How can we change it in Okta? Can we, for example, unassign the application in Okta, change it in Entra, then assign the application in Okta again? Would Okta then adopt the ImmutableID that is in Entra?