azureazure-active-directorysamloktafederated-identity

Does federation in Azure AD(or any IDP actually), cause disruption/discontinuity?


Let us assume I am an admin who is managing an Azure AD for my organization with about 3k users. All these 3k users have a login in Azure AD, and use a variety of Office365 services like Exchange Online, Microsoft Teams, Word Online etc.

Now, let us say, for some feature in Okta, we choose to federate our Azure AD with Okta, then what happens in the following scenarios :

  1. Say there are as mentioned above the 3k users in Azure AD, only me in Okta, and I federate Azure AD, what happens? Is it like, the moment we federate Azure AD with Okta, everyone in our Azure domain can't login immediately? Or is there any possibility of doing this in a phased manner?
  2. Say after all the 3k users now have an account in Okta as well. Can we maintain continuity? I.E after the users login to Azure AD via Okta, will they still see all their earlier data in Exchange Online, Teams, etc.
  3. I assume there would be a mapping procedure to ensure continuity? How does that work?

Solution

  • There are a couple of things to take care of to ensure there is zero downtime:

    1. AzureAD requires two attributes UPN (User Principal Name) and ObjectGUID to be passed from Okta. If your AzureAD and Okta users are both sourced from on-premise AD you will be fine, else you will need update AzureAD users to match the values with Okta.
    2. Once federated with Okta, legacy authentication is disabled by default. If you need it, please make sure you update client access policies are updated accordingly in Okta
    3. Federation with an AzureAD domain is big-bang but if you have multiple domains, you can federated them in a phases.

    More details here: https://www.okta.com/resources/whitepaper/securing-office-365-with-okta/

    Thank you