Hybrid AD Join with Okta - SCP? possible? how?

%3CLINGO-SUB%20id%3D%22lingo-sub-1492713%22%20slang%3D%22en-US%22%3EHybrid%20AD%20Join%20with%20Okta%20-%20SCP%3F%20possible%3F%20how%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1492713%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Jgq85_0-1593192331739.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F201481i4A6955D1D2CC3CAE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Jgq85_0-1593192331739.png%22%20alt%3D%22Jgq85_0-1593192331739.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3EI%20came%20across%20this%20SCP%20configuration%20step%20when%20turning%20on%20Hybrid%20AD%20Join%20options%20in%20our%20Azure%20AD%20Connect%20tool.%26nbsp%3B%3C%2FLI%3E%3CLI%3EI'm%20not%20sure%20what%20to%20choose%20here%3A%20Okta%20or%20Azure%20Active%20Directory%3F%26nbsp%3B%3C%2FLI%3E%3CLI%3EOkta%20doesn't%20sync%20computers%20as%20far%20as%20I%20know.%20I%20also%20can't%20get%20confirmation%20from%20Okta%20on%20what%20to%20chose.%26nbsp%3B%3C%2FLI%3E%3CLI%3EIt%20this%20important%3F%20should%20I%20just%20experiment%20to%20see%20what%20happens%3F%3C%2FLI%3E%3CLI%3EMy%20end%20goal%20here%20is%20to%20use%20InTune%20to%20manage%20devices%20and%20eventually%20get%20them%20off%20our%20domain%20and%20away%20from%20GPO.%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1492713%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1497479%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20AD%20Join%20with%20Okta%20-%20SCP%3F%20possible%3F%20how%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497479%22%20slang%3D%22en-US%22%3EDon%E2%80%99t%20know%20much%20about%20Okta%2C%20but%20in%20regular%20native%20Azure%20AD%20environment%2C%20it%20default%20to%20Azure%20AD%20authentication%20and%20you%20don%E2%80%99t%20have%20to%20choose.%20I%20think%20you%20need%20to%20use%20Azure%20AD%20authentication%2C%20otherwise%20it%20wont%20work.%20You%20can%20test%20one%20pc%20by%20syncing%20specific%20OU-%20Use%20Synchronization%20Service%20to%20do%20that.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20this%20important%3F%20Yes%2C%20if%20not%20enabled%20you%20can%E2%80%99t%20sync%20your%20PCs%20to%20the%20cloud%2C%20which%20means%20you%20can%E2%80%99t%20do%20hybrid%20join.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1498712%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20AD%20Join%20with%20Okta%20-%20SCP%3F%20possible%3F%20how%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498712%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EThanks%20for%20advice.%20How%20do%20I%20specify%20only%20certain%20computers%3F%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20that%20through%20specifying%20the%20ccontainer%2FOU%20in%20the%20Sync%20Service%20manager%20(%20Connectors%20%26gt%3B%20Domain%20%26gt%3B%20Properties%20%26gt%3B%20Configure%20Directory%20partitions%20%26gt%3B%20Containers)%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500114%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20AD%20Join%20with%20Okta%20-%20SCP%3F%20possible%3F%20how%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500114%22%20slang%3D%22en-US%22%3EYou%20got%20it.%20I%20would%20create%20new%20OU-%26gt%3Bmove%20the%20pc%20and%20sync%20it.%3CBR%20%2F%3E%3CBR%20%2F%3ELastly%2C%20you%20need%20to%20enroll%20the%20device%20with%20Intune%20so%20you%20can%20push%20policies%20to%20the%20device.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fenroll-a-windows-10-device-automatically-using-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fenroll-a-windows-10-device-automatically-using-group-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Jgq85_0-1593192331739.png

  • I came across this SCP configuration step when turning on Hybrid AD Join options in our Azure AD Connect tool. 
  • I'm not sure what to choose here: Okta or Azure Active Directory? 
  • Okta doesn't sync computers as far as I know. I also can't get confirmation from Okta on what to chose. 
  • It this important? should I just experiment to see what happens?
  • My end goal here is to use InTune to manage devices and eventually get them off our domain and away from GPO. 
3 Replies
Highlighted
Don’t know much about Okta, but in regular native Azure AD environment, it default to Azure AD authentication and you don’t have to choose. I think you need to use Azure AD authentication, otherwise it wont work. You can test one pc by syncing specific OU- Use Synchronization Service to do that.

Is this important? Yes, if not enabled you can’t sync your PCs to the cloud, which means you can’t do hybrid join.

Hope this helps!
Moe
Highlighted

Hi @Moe_Kinani ,

Thanks for advice. How do I specify only certain computers? 

Is that through specifying the ccontainer/OU in the Sync Service manager ( Connectors > Domain > Properties > Configure Directory partitions > Containers)? 

Highlighted
You got it. I would create new OU->move the pc and sync it.

Lastly, you need to enroll the device with Intune so you can push policies to the device.

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatica...

Moe