Forum Discussion

Iron Contributor

Jun 15, 2020

Solved

Changing Azure AD Federation provider

Hi, We have a M365 tenant which is federated with Okta for Authentication. All user provisioning & authentication for M365 is handled by Okta. Okta in turn is federated to our On-Prem Active Direct...

Azure Active Directory (AAD)

Identity Management

Sander Berkouwer
Jun 23, 2020
I feel there are two challenges to solve:

Making sure your colleagues synchronize correctly end-to-end.

Switching federation with Okta to Azure AD Connect PTA.

The current setup keeps user objects in Active Directory in sync with user objects in Azure AD. To make sure the same objects on both ends are matched end-to-end, I'd recommend hard matching by setting the source anchor attributes on both ends. There's more information on end-to-end matching here. To avoid multiple synchronization engines writing to Azure AD and possible introducing last-write errors, I'd also recommend to use Staging Mode in Azure AD Connect when Okta still actively synchronizes.

From Azure AD's point of view, it doesn't matter which federation solution you use. Whether it's Okta, HelloID or PingFederate, you can use the staged roll-out feature with all of them.

JanBakkerOrphaned

Iron Contributor

Jun 23, 2020

Unnie That is something I have not dealt with so far, but I assumne you can set up your own Azure AD connect server as staging server to take over the running server from Okta. You have to take care of the source ancor, and be sure your accounts will soft match with the UPN suffix.

Sander Berkouwer ,might have some tips for you on this topic.

Sander Berkouwer

MVP

Jun 23, 2020

I feel there are two challenges to solve:

Making sure your colleagues synchronize correctly end-to-end.
Switching federation with Okta to Azure AD Connect PTA.

The current setup keeps user objects in Active Directory in sync with user objects in Azure AD. To make sure the same objects on both ends are matched end-to-end, I'd recommend hard matching by setting the source anchor attributes on both ends. There's more information on end-to-end matching here. To avoid multiple synchronization engines writing to Azure AD and possible introducing last-write errors, I'd also recommend to use Staging Mode in Azure AD Connect when Okta still actively synchronizes.

From Azure AD's point of view, it doesn't matter which federation solution you use. Whether it's Okta, HelloID or PingFederate, you can use the staged roll-out feature with all of them.

Unnie
Iron Contributor
Jun 25, 2020
Regarding the hard matching, when we set up Okta to Azure AD user provisioning, AD ObjectGuid attribute value is mapped to the ImmutableID in Azure AD. So, I am assuming this makes it easy for us to do the hard matching in Azure AD connect.
Unnie
Iron Contributor
Jun 23, 2020
Sander Berkouwer JanBakkerOrphaned Thanks a lot both of you , for the tips & help.
JanBakkerOrphaned
Iron Contributor
Jun 23, 2020
Sander Berkouwer Thanks Sander.

Unnie is this someting you can work with?