πŸ”·

Okta Integration Handbook

Windows Domain, Office 365, Apps, and Security

By Richard Gamarra

A working reference for connecting Okta to the rest of a hybrid environment: an on-premises Windows domain, Office 365, SaaS apps, and Azure. Covers how identity actually flows between these systems, how single sign-on and provisioning are wired up, how to enforce security policy, and what to check first when a sign-in or a sync job breaks.

38
Visible reference cards
πŸ”· Okta πŸ–₯️ Windows Domain πŸ“§ Office 365 πŸ”— SSO / SAML πŸ”„ SCIM Provisioning πŸ” Security Policy ⚑ API / PowerShell 🧭 IT Operations

🧭 Architecture & Integration Model

Okta sits in the middle as the identity provider, but it rarely replaces on-premises Active Directory outright. In most real deployments, AD stays the source of truth for user accounts, Okta becomes the single sign-on and policy layer in front of everything, and Entra ID/Office 365 stays in the picture too, usually still handling mail attributes even when Okta owns authentication.

Typical hybrid identity flow with Okta in the middle
On-prem ADSource of truth
β†’
OktaAD Agent + Universal Directory
β†’
Office 365 / Entra ID
β†’
SaaS appsSAML / OIDC / SCIM

Okta reads users and groups out of on-prem AD through the AD Agent, applies its own sign-on and MFA policy, then either federates authentication to downstream apps directly or delegates password checks back to the domain controller.

Okta versus native Entra ID, when both exist

QuestionCommon answer
Who owns the login screen the user actually seesOkta, once Office 365 and other apps are federated to it
Who still runs Conditional Access style policy for Office 365 itselfBoth can, but organizations usually pick one as authoritative to avoid conflicting session controls
Why run both at onceCommon after a merger or acquisition, or when Okta was adopted first and Entra ID/Intune arrived later for device management
What still needs Entra ID regardlessIntune device management and Exchange Online mailbox attributes still flow through Entra ID/Azure AD Connect even if Okta owns the sign-in experience

πŸ–₯️ Windows Domain Integration

Getting Okta to work with an on-premises Windows domain comes down to a small set of agents and connectors. Each one has a specific job, and most domain integration issues trace back to one of these being offline, misconfigured, or unable to reach a domain controller.

Core components

ComponentJobRuns where
Okta AD AgentImports users, groups, and org units from AD into Okta's Universal Directory; handles delegated authentication back to the domainLightweight Windows service on a domain-joined server
Okta RADIUS AgentAdds Okta MFA in front of RADIUS-based systems: VPN concentrators, network switchesWindows server with network line of sight to the RADIUS clients
Okta Windows Credential ProviderAdds Okta Verify MFA directly to the Windows login screen and RDP sessionsInstalled on the endpoint itself
Okta Desktop SSOLets a domain-joined, network-connected device skip the Okta login prompt entirely using KerberosConfigured via the AD Agent, works transparently on the LAN

Delegated authentication

With delegated authentication, Okta never stores the AD password itself. When a user signs in, Okta passes the credential check through the AD Agent to a real domain controller in real time. This means a password change on-prem takes effect at Okta instantly, with no separate sync step, and it means an AD Agent outage directly blocks sign-in for anyone still using delegated auth (Okta cannot fall back to a cached password).

Deployment checklist

1️⃣
Agent placement

Install at least two AD Agents

One agent is a single point of failure for delegated authentication. Install a second on a different domain controller or member server for redundancy.

πŸ”Œ
Connectivity

Outbound only, no inbound firewall rule needed

The AD Agent makes outbound connections to Okta's service; there's no need to open inbound ports from the internet to the domain, which keeps the domain controller's attack surface unchanged.

πŸ—‚οΈ
OU scope

Scope the agent to the right organizational units

Don't import every OU in the forest by default. Scope to the OUs that actually contain real user accounts, service accounts and disabled accounts don't belong in Okta's directory.

πŸ–₯️
Desktop SSO

Desktop SSO requires domain-joined and on the corporate network

It uses IWA (Integrated Windows Authentication) through the browser; a device off the LAN or not domain-joined falls back to a normal Okta login prompt.

πŸ“§ Office 365 Federation

Federating Office 365 to Okta means Okta becomes the identity provider for sign-in, while Azure AD Connect (or Entra Cloud Sync) usually keeps running in parallel to handle mailbox and directory attribute sync. These are two separate jobs and it helps to keep them mentally separate: one moves attributes, the other decides who's allowed to log in.

Auth versus attribute sync, two different paths
On-prem AD
β†’
Azure AD ConnectAttribute & mailbox sync
β†’
Entra ID / Exchange Online
OktaFederated domain, WS-Fed/SAML
β†’
Handles the actual sign-in prompt for that domain

Setup approach

StepWhat happens
1. Domain federationConvert the Office 365 domain from managed to federated, pointing sign-in at Okta's endpoint
2. Immutable ID mappingMatch each on-prem AD object's immutable ID to the corresponding Entra ID object so accounts line up correctly
3. Okta O365 app configurationSet sign-on mode (WS-Federation is most common), configure the Office 365 tenant details in the Okta app
4. Attribute sync stays separateAzure AD Connect or Cloud Sync continues running for mailbox and group attributes regardless of who owns authentication

Things that catch people off guard

⚠️
Legacy auth

Federated domains can bypass Okta if legacy auth is left open

Old protocols like POP, IMAP, and legacy SMTP can sometimes authenticate directly against Entra ID without going through the federated sign-in flow. Block legacy authentication at the Entra ID/Exchange level even when Okta is the primary IdP.

πŸ”
Token lifetime

Session and token lifetime live in two places

Okta's sign-on policy controls the Okta session; Entra ID/Office 365 has its own token lifetime settings. Misalignment between the two is a common cause of "I signed in but got logged out again five minutes later."

πŸ§ͺ
Testing

Always test with a pilot user before flipping domain federation

Converting the whole domain to federated is disruptive if something is misconfigured. Test with a single non-critical account and confirm sign-in end to end before rolling it out.

πŸ”— App Integration & SSO

Not every app connects to Okta the same way. Picking the right protocol for the app you're onboarding decides how much automation you get, and how much manual account management stays behind.

Protocols compared

ProtocolWhat it doesBest for
SAMLFederated sign-on, no password shared with the appEnterprise apps with native SAML support, most common modern integration
OIDC (OpenID Connect)Modern token-based sign-on, built on OAuth 2.0Newer apps and custom-built applications
SWA (Secure Web Authentication)Okta stores and auto-fills the app's own username/passwordLegacy apps with no federation support at all
SCIMAutomated user provisioning and deprovisioning, separate from sign-inAny app that supports it, pairs with SAML or OIDC for a full lifecycle solution

Onboarding a new app

πŸ“š
Catalog first

Check the Okta Integration Network before building custom

Thousands of apps already have a pre-built integration in the OIN catalog with sign-on and provisioning already wired up. Building a custom SAML app from scratch should be the exception, not the default.

πŸ”‘
Attribute mapping

Map the right attributes on first setup

Email, first name, last name, and any app-specific role attribute all need to be mapped correctly before go-live; a wrong mapping shows up later as users landing in the wrong role or group inside the app.

πŸ”„
SCIM lifecycle

SCIM handles the full account lifecycle

  • Create: new account provisioned automatically on assignment
  • Update: profile changes push through automatically (name change, department change)
  • Deactivate: account disabled the moment access is unassigned or the user is deactivated in Okta

πŸ” Security & Sign-On Policy

Okta's sign-on policies are its equivalent of Conditional Access: rules built from conditions like network zone, device state, and risk signal, applied before a user is allowed in.

Sign-on policy evaluation
User attempts sign-in
β†’
Policy conditions checkedNetwork zone, device trust, risk
β†’
Allow, deny, or require step-up MFA

Common policy building blocks

Condition or controlWhat it does
Network zonesDefine trusted IP ranges (office, VPN) versus everywhere else, and apply different rules to each
Device trustRequires the device to be managed (enrolled and known) before allowing access to sensitive apps
Okta FastPassPhishing-resistant passwordless authentication using a private key stored on the device, tied to Okta Verify
ThreatInsightBlocks sign-in attempts from IPs Okta has identified as malicious across its entire customer base
Behavior detectionFlags sign-ins that deviate from a user's normal pattern (new location, new device, impossible travel) and can trigger step-up MFA

Rollout guidance

πŸ§ͺ
Test group first

Never apply a new sign-on policy tenant-wide first

Scope any new or tightened policy to a small pilot group, confirm real users can still sign in the way you expect, then widen it.

πŸ†˜
Break-glass

Keep at least one emergency access account outside all custom policies

Store its credentials offline, monitor any sign-in on it closely, and never assign it MFA factors tied to a single person's device.

πŸ”‘
Passwordless direction

Move toward Okta FastPass for anything sensitive

It's phishing-resistant by design, unlike SMS or even standard push notifications, which remain vulnerable to prompt-bombing without number matching enabled.

πŸ”„ Provisioning & Lifecycle Management

Okta Lifecycle Management automates the joiner, mover, and leaver process so access actually gets granted and revoked the moment HR data or group membership changes, instead of days later through a manual ticket.

Lifecycle stages

StageWhat triggers itWhat happens
JoinerNew AD account created, or HR system feed adds a new employee recordOkta account activated, group assignments applied, downstream app provisioning fires automatically
MoverDepartment, title, or manager attribute changesGroup membership rules re-evaluate, access to department-specific apps adjusts automatically
LeaverAD account disabled, or HR marks the employee terminatedOkta account deactivated, SCIM-provisioned apps deprovision the user, active sessions revoked

Group push versus group rules

πŸ“€
Group push

Push an existing AD group to a downstream app

Keeps a group's membership synced one-way from Okta's Universal Directory to a connected app, useful when the source of truth for that group is already AD.

πŸ“
Group rules

Build dynamic groups directly in Okta

Rule-based membership using user profile attributes (department, title, location), similar in concept to a dynamic Entra ID group, evaluated continuously as attributes change.

⚑ API / PowerShell Quick Fixes

Fast Okta API calls for the moment an account or a sync job needs attention right now.

πŸ”“
Unlock

Unlock a locked-out user

curl -X POST "https://your-org.okta.com/api/v1/users/{userId}/lifecycle/unlock" `
  -H "Authorization: SSWS {apiToken}"
⏸️
Suspend

Suspend a user immediately

curl -X POST "https://your-org.okta.com/api/v1/users/{userId}/lifecycle/suspend" `
  -H "Authorization: SSWS {apiToken}"
πŸ”‘
MFA reset

Reset all MFA factors for a user

curl -X POST "https://your-org.okta.com/api/v1/users/{userId}/lifecycle/reset_factors" `
  -H "Authorization: SSWS {apiToken}"
πŸšͺ
Session revoke

End every active session for a user

curl -X DELETE "https://your-org.okta.com/api/v1/users/{userId}/sessions" `
  -H "Authorization: SSWS {apiToken}"

Use immediately after a suspected account compromise, alongside a password reset and factor reset.

πŸ“‹
System log

Pull recent sign-in events for a user

curl -G "https://your-org.okta.com/api/v1/logs" `
  --data-urlencode "filter=actor.id eq \"{userId}\"" `
  -H "Authorization: SSWS {apiToken}"
🧰
AD Agent health

Check the AD Agent service locally

Get-Service -Name "OktaADAgentService"
Restart-Service -Name "OktaADAgentService" -Force
πŸ”„
Force import

Trigger an on-demand AD import

Okta admin console: Directory > Directory Integrations > select the AD instance > Import > Import Now. There's no local PowerShell equivalent; the import is always triggered from the Okta side.

🧯 Troubleshooting

The issues that come up most often, with the fastest verified path to a fix.

SymptomLikely causeFix
All delegated authentication fails tenant-wideEvery AD Agent is offline or can't reach a domain controllerCheck the OktaADAgentService status on each agent server; confirm network path and that the domain controller it targets is healthy
One user can't sign in but others canAccount locked, disabled, or password expired on-premCheck the account status directly in Active Directory; delegated auth reflects the real domain state instantly
SAML assertion error on an appCertificate expired, or attribute mapping doesn't match what the app expectsCheck the SAML certificate expiration date in the app integration settings; re-verify attribute statements against the app's documentation
User exists in AD but not in OktaAccount sits outside the AD Agent's configured OU scopeCheck which OUs are included in the Directory Integration's import settings
Office 365 sign-in loops back to Okta repeatedlyImmutable ID mismatch between the on-prem object and its Entra ID counterpartRe-verify the immutable ID mapping for that specific user object
SCIM provisioning fails for a specific appApp-side API token expired, or a required attribute is missing from the user's profileCheck the Import and Provisioning logs for that app in the Okta admin console for the specific error returned by the app
Desktop SSO doesn't work for a specific deviceDevice isn't domain-joined, isn't on the trusted network zone, or Kerberos ticket issuesConfirm domain join state and that the device is on a network zone marked as trusted for Desktop SSO
User reports random extra MFA promptsBehavior detection flagged the sign-in as anomalous, or a network zone boundary was crossed (VPN toggling on/off)Check the System Log for that sign-in event to see which policy condition triggered the step-up

πŸ“š Resources

The best places to go deeper on anything covered in this handbook: official documentation, protocol references, tooling, and community support.

Official documentation

Docs

Okta Help Center

The primary source for admin-facing setup guides, agent installation, and configuration reference.

Open β†—
Docs

Okta Developer Documentation

API guides, SDKs, and concept explainers for building and customizing Okta integrations.

Open β†—
API

Okta API Reference

Full endpoint reference for the Users, Groups, System Log, and Lifecycle APIs used throughout the Quick Fixes tab.

Open β†—
Catalog

Okta Integration Network (OIN)

Searchable catalog of thousands of pre-built app integrations, the first place to check before building a custom SAML app.

Open β†—
Status

Okta Trust / Status Page

Live service health and incident history, check here first if sign-ins fail tenant-wide with no config change to explain it.

Open β†—
Community

Okta Community

Official user forum for admin questions, feature requests, and real-world configuration discussions.

Open β†—

Windows domain and directory integration

AD Agent

Active Directory Agent Overview

Install requirements, redundancy planning, and OU scoping for the AD Agent covered in the Windows Domain tab.

Open β†—
Desktop SSO

Configure Desktop Single Sign-On

Kerberos-based IWA setup so domain-joined, on-network devices skip the Okta login prompt.

Open β†—
RADIUS

RADIUS Agent Overview

Adding Okta MFA in front of VPN concentrators and network switches that speak RADIUS.

Open β†—
Office 365

Office 365 Deployment Guide

Step-by-step domain federation, immutable ID mapping, and sign-on mode configuration for Office 365.

Open β†—

Identity protocols

SAML

SAML Concepts Guide

How SAML assertions, certificates, and attribute statements actually work, useful background for the App Integration tab.

Open β†—
SCIM

SCIM Concepts Guide

The provisioning protocol behind automated joiner, mover, and leaver lifecycle events.

Open β†—
OIDC

OpenID Connect & OAuth 2.0 Overview

Token-based sign-on concepts for modern and custom-built application integrations.

Open β†—

Security features

FastPass

Okta FastPass Overview

Phishing-resistant passwordless authentication tied to Okta Verify, covered in the Security tab.

Open β†—
ThreatInsight

Okta ThreatInsight Overview

Cross-tenant malicious IP blocking and how it factors into sign-on policy evaluation.

Open β†—
Lifecycle

Lifecycle Management Overview

Automated provisioning and deprovisioning rules referenced in the Provisioning & Lifecycle tab.

Open β†—

Automation and tooling

Terraform

Okta Terraform Provider

Manage Okta apps, groups, and policies as infrastructure-as-code instead of clicking through the admin console.

Open β†—
Workflows

Okta Workflows Overview

No-code automation builder for lifecycle events and cross-app tasks that go beyond standard SCIM.

Open β†—
GitHub

Okta on GitHub

Official SDKs, sample apps, and the CLI tool for scripting against the Okta API.

Open β†—

Security research

Trust

Okta Security & Trust Site

Security advisories, compliance reports, and incident disclosures, useful for vetting Okta itself as a vendor.

Open β†—