Hybrid Azure AD Join + Okta Federation

%3CLINGO-SUB%20id%3D%22lingo-sub-1313825%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313825%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591872%22%20target%3D%22_blank%22%3E%40RIGAN25%3C%2FA%3EAre%20you%20getting%20Azure%20AD%20PRT%20or%20not%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1313833%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313833%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F145219%22%20target%3D%22_blank%22%3E%40Rishabh%20Srivastava%3C%2FA%3E%26nbsp%3BWe%20are%20unable%20to%20see%20Azure%20AD%20PRT.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1313845%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313845%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591872%22%20target%3D%22_blank%22%3E%40RIGAN25%3C%2FA%3E%26nbsp%3B%20Is%20you%20machine%20is%20showing%20as%20hybrid%20in%20the%20cloud%20or%20not%20%3F%3CBR%20%2F%3EIf%20your%20machine%20is%20showing%20hybrid%20in%20the%20cloud%2C%20then%20check%20device%20registration%20and%20AAD%20logs%20on%20the%20machine.%3C%2FP%3E%3CP%3ELocation%20-%20Application%2FService%20logs%20--%26gt%3B%20Microsoft%20--%26gt%3B%20AAD%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1313922%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313922%22%20slang%3D%22en-US%22%3EYes%20my%20device%20is%20showing%20Hybrid%20in%20the%20cloud.%20Thanks%20for%20pointing%20out%20to%20me%20the%20logs%20for%20AAD.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1458815%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1458815%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591872%22%20target%3D%22_blank%22%3E%40RIGAN25%3C%2FA%3E%26nbsp%3BHi%20-%20did%20you%20ever%20find%20a%20solution%20to%20your%20Azure%20PRT%20issue%20while%20federated%20with%20OKTA%3F%20We%20have%20exactly%20the%20same%20problem%20while%20federated%20with%20RSA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1462522%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1462522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F697597%22%20target%3D%22_blank%22%3E%40garry790%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20Gary%2C%20we%20did%20rolled%20out%20this%20process%20using%20controlled%20validation%2C%20and%20instead%20of%20using%20federated%20domain%2C%20used%20Initial%20Domain%20which%20is%20Microsoft%20Provided%20domain%3A%20.onmicrosoft.com%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1269620%22%20slang%3D%22en-US%22%3EHybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269620%22%20slang%3D%22en-US%22%3E%3CP%3EImplemented%20Hybrid%20Azure%20AD%20Joined%20with%20Okta%20Federation%20and%20MFA%20initiated%20from%20Okta.%3C%2FP%3E%3CP%3ETrying%20to%20implement%20Device%20Based%20Conditional%20Access%20Policy%20to%20access%20Office%20365%2C%20however%2C%20getting%20Correlation%20ID%20from%20Azure%20AD.%20Did%20anyone%20know%20if%20its%20a%20known%20thing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESSO%20State%20AD%20PRT%20%3D%20NO%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1269620%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610043%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610043%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591872%22%20target%3D%22_blank%22%3E%40RIGAN25%3C%2FA%3E%2C%20can%20you%20elaborate%20on%20this%3F%20I%20have%20the%20exact%20same%20problem%2C%20federated%20with%20Okta%20and%20wanting%20to%20use%20conditional%20access%20policies%20using%20hybrid%20joined%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3EThey%20are%20failing%20the%20CA%20policy%20because%20AzureAdPrt%20%3D%20NO.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610099%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F770074%22%20target%3D%22_blank%22%3E%40Kav77%3C%2FA%3E%26nbsp%3BProviding%20you%20details%20about%20this%3A%3CBR%20%2F%3EPlease%20follow%20controlled%20HYAADJ%20rollout%20using%20Group%20Policy%20Object.%3CBR%20%2F%3EThe%20only%20change%20you%20need%20to%20perform%20related%20to%20GPO%20object%20is%20the%20Tenant.%3C%2FP%3E%3CP%3EUse%20Tenant%20domain%20%3A%20domain.onmicrosoft.com%20and%20not%20the%20custom%20domain%20name%20verified%20to%20the%20tenant.%3C%2FP%3E%3CP%3EAlso%2C%20the%20reason%20where%20you%20see%20AzureAD%20PRT%20%3D%20NO%2C%20is%20related%20to%20device%20where%20Windows%20device%20login%20work%20on%20Legacy%20Auth%2C%20so%20please%20create%20a%20Rule%20in%20Okta%20to%20allow%20legacy%20auth%20to%20the%20PRT%20token.%3C%2FP%3E%3CP%3EBe%20sure%20that%20device%20is%20able%20to%20communicate%20to%20DC%20and%20Internet%20while%20performing%20the%20device%20registration%20process.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610104%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610104%22%20slang%3D%22en-US%22%3Ehmm%20I%20only%20have%20the%20GPO%20'Windows%20Components%26gt%3B%20Device%20registration%26gt%3B%20register%20domain%20joined%20computers%20as%20devices'%20enabled%20and%20that%20seems%20to%20have%20Hybrid%20joined%20the%20devices%20successfully.%20It%20has%20no%20option%20for%20specifying%20the%20tenant%20domain%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAnyway%20I%20just%20noticed%20the%20AzureAdPrt%20is%20user%20based.%20I%20was%20running%20CMD%20under%20admin%20and%20it%20was%20saying%20NO%2C%20but%20when%20run%20under%20user%20context%20it%20actually%20says%20'YES'.%20Think%20I%20will%20log%20this%20with%20support.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1641350%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1641350%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591872%22%20target%3D%22_blank%22%3E%40RIGAN25%3C%2FA%3EI%20wasnt%20sure%20what%20you%20meant%20by%20this%20initially%3A%20%22Also%2C%20the%20reason%20where%20you%20see%20AzureAD%20PRT%20%3D%20NO%2C%20is%20related%20to%20device%20where%20Windows%20device%20login%20work%20on%20Legacy%20Auth%2C%20so%20please%20create%20a%20Rule%20in%20Okta%20to%20allow%20legacy%20auth%20to%20the%20PRT%20token.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20some%20digging%20and%20found%20these%20two%20resources%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.okta.com%2Fresources%2Fwhitepaper%2Fsecuring-office-365-with-okta%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.okta.com%2Fresources%2Fwhitepaper%2Fsecuring-office-365-with-okta%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DgvQ8BuxRlkg%26amp%3Bab_channel%3DOkta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DgvQ8BuxRlkg%26amp%3Bab_channel%3DOkta%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThough%20I%20didnt%20have%20the%20option%20to%20add%20a%20custom%20agent%20string%2C%20I%20did%20add%20another%20sign%20on%20policy%20in%20Okta%20to%20allow%20legacy%20auth%20and%20now%20my%20PRT%20token%20is%20generated%20and%20device%20conditional%20access%20policies%20work%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20this%20helps%20someone%20else%20that%20may%20come%20across%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1785348%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20Join%20%2B%20Okta%20Federation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1785348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F770074%22%20target%3D%22_blank%22%3E%40Kav77%3C%2FA%3E%26nbsp%3BCustom%20User%20Agent%20is%20Early%20Access%2C%20which%20Okta%20admins%20should%20be%20able%20to%20enable%20themselves%20from%20the%20Admin%20UI%20%22Settings%26gt%3BFeatures%22.%20If%20not%20available%2C%20Okta%20support%20can%20turn%20it%20on%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.okta.com%2Fen%2Fprod%2FContent%2FTopics%2FApps%2FOffice365%2Fcustom-client-filter.htm%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhelp.okta.com%2Fen%2Fprod%2FContent%2FTopics%2FApps%2FOffice365%2Fcustom-client-filter.htm%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Implemented Hybrid Azure AD Joined with Okta Federation and MFA initiated from Okta.

Trying to implement Device Based Conditional Access Policy to access Office 365, however, getting Correlation ID from Azure AD. Did anyone know if its a known thing?

 

SSO State AD PRT = NO

11 Replies

@RIGAN25Are you getting Azure AD PRT or not ?

@Rishabh Srivastava We are unable to see Azure AD PRT.

@RIGAN25  Is you machine is showing as hybrid in the cloud or not ?
If your machine is showing hybrid in the cloud, then check device registration and AAD logs on the machine.

Location - Application/Service logs --> Microsoft --> AAD

Yes my device is showing Hybrid in the cloud. Thanks for pointing out to me the logs for AAD.

@RIGAN25 Hi - did you ever find a solution to your Azure PRT issue while federated with OKTA? We have exactly the same problem while federated with RSA.

@garry790 : Yes, Gary, we did rolled out this process using controlled validation, and instead of using federated domain, used Initial Domain which is Microsoft Provided domain: .onmicrosoft.com

 

Hi @RIGAN25, can you elaborate on this? I have the exact same problem, federated with Okta and wanting to use conditional access policies using hybrid joined devices.

They are failing the CA policy because AzureAdPrt = NO.

@Kav77 Providing you details about this:
Please follow controlled HYAADJ rollout using Group Policy Object.
The only change you need to perform related to GPO object is the Tenant.

Use Tenant domain : domain.onmicrosoft.com and not the custom domain name verified to the tenant.

Also, the reason where you see AzureAD PRT = NO, is related to device where Windows device login work on Legacy Auth, so please create a Rule in Okta to allow legacy auth to the PRT token.

Be sure that device is able to communicate to DC and Internet while performing the device registration process.

hmm I only have the GPO 'Windows Components> Device registration> register domain joined computers as devices' enabled and that seems to have Hybrid joined the devices successfully. It has no option for specifying the tenant domain?

Anyway I just noticed the AzureAdPrt is user based. I was running CMD under admin and it was saying NO, but when run under user context it actually says 'YES'. Think I will log this with support.

@RIGAN25I wasnt sure what you meant by this initially: "Also, the reason where you see AzureAD PRT = NO, is related to device where Windows device login work on Legacy Auth, so please create a Rule in Okta to allow legacy auth to the PRT token."

 

Did some digging and found these two resources:

https://www.okta.com/resources/whitepaper/securing-office-365-with-okta/

https://www.youtube.com/watch?v=gvQ8BuxRlkg&ab_channel=Okta

 

Though I didnt have the option to add a custom agent string, I did add another sign on policy in Okta to allow legacy auth and now my PRT token is generated and device conditional access policies work :)

 

Hopefully this helps someone else that may come across this.

@Kav77 Custom User Agent is Early Access, which Okta admins should be able to enable themselves from the Admin UI "Settings>Features". If not available, Okta support can turn it on for you.

 

https://help.okta.com/en/prod/Content/Topics/Apps/Office365/custom-client-filter.htm