This guide walks through configuring an Okta-mastered integration of Microsoft 365 (M365) with Okta according to MSP best practices.
WARNINGS
If the customer environment includes both on-premises AD and Microsoft 365, on-premises AD must be integrated with Okta before M365. If you have not yet completed the AD integration, see the Okta-AD Integration guide before proceeding.
If M365 is the first integration for this Okta org — meaning no on-premises AD is present — and you plan to create a vanity URL or custom domain for the org, you must do this before integrating M365 with Okta. See Okta Help Center — Custom domains for guidance.
BEFORE YOU BEGIN
This guide assumes the target Okta org has been configured according to MSP best practices by completing the New Org Setup guide. If you have not completed the New Org Setup, do that first.
ZeroTek strongly recommends practicing these procedures in a sandbox environment before performing the integration for a customer Okta org. See Set up a Microsoft 365 sandbox environment below for instructions.
About this guide
This guide is organized into five phases. Each phase builds on the previous one. Complete them in the order listed.
1️⃣ Integration essentials
This phase covers the preparation tasks required before integrating M365 with Okta, including setting up a sandbox environment (optional), creating and securing an M365 service account, and identifying M365 service accounts that should or should not be imported into Okta.
BEST PRACTICE
Complete a full Okta-M365 integration using a sandbox environment before performing the integration for a customer Okta org. See Set up a Microsoft 365 sandbox environment for instructions on getting a free M365 sandbox.
2️⃣ Prepare M365 for Okta SSO
This phase covers preparing M365 for Okta SSO, preparing M365 users for a successful import to Okta, and configuring the Microsoft 365 integration app in Okta.
3️⃣ Import M365 users to Okta
This phase covers importing M365 users to Okta. After importing, focus your attention on two things in parallel: finishing the integration by continuing through the remaining phases, and preparing imported users for go-live by activating their Okta accounts.
4️⃣ Configure Okta for M365 user provisioning
This phase covers setting up Okta so you can create new users in Okta and push them to M365 for provisioning.
5️⃣ Configure Okta SSO for M365 and go live
This phase covers configuring Okta SSO for M365 and federating M365 with Okta using WS-Federation.
BEST PRACTICE
Going live with WS-Federation is not typically disruptive to users. ZeroTek recommends going live during business hours — if a rare issue occurs for a user, you are better positioned to discover and resolve it promptly.
🎉 Congratulations! You have successfully completed the Okta-M365 integration according to MSP best practices.
Troubleshooting and post-integration use cases
Troubleshooting
Post-integration use cases
Manage imported M365 users with Okta license-based groups — change or add an M365 license assignment for an imported user
Import previously ignored M365 users to Okta — import an account that was flagged to be ignored during the initial import
Roll back WS-Federation — undo federation, typically in test or sandbox environments, rarely required in production
Need help? Need help? ZeroTek Partners can email [email protected] and our team will be happy to assist.