Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD - Integrate Partner users into AAD who is using Okta

Copper Contributor

Hi 

I am stuck with finding a away that will resolve my current problem or provide a solution that would be seamless for administrative purposes.

 

We use Azure AD

Partner uses OKTA and don't have Azure AD.

Partner needs access to our registered App but they want to use OKTA to access the app using a security group managed by partner to assist with changes of users on their side to automatically update user on our side so that terminated users on partner side does not have access to the app in our Azure tenant. 

 

I was thinking of using B2B and registering their OKTA as an App and then invite their users / group users to join our Azure AD. That way users on Partner uses OKTA to authenticate and access the registered app on our tenant. 

Problem with above is that we will create admin overhead for us managing the users/ guest users that gets terminated on partner side and if they don't inform us of this update. 

 

Is anyone aware of a way that I can setup AZURE AD that can integrate with OKTA and get or pull users from partners OKTA to update the users on our side every 12 to 24 hours. It will not be all users on Partners OKTA only users that is part of a specific group in OKTA.

 

Any help would be greatly appreciated. 

4 Replies
Thank you for your reply .

This is not a question of setting up federation with Okta . We use Azure and we don's want to sync all of the Partners OKTA users to our AAD.

We need to give the partner access to an application , the partner wanted us to federate with them and then use their Okta to access our App. We dont want to use the Partners Okta to access our app as we use Azure.
We are trying to find a solution where the Partner can keep using their own OKTA to access our app and we can access our app as normal without using OKTA. Only the partner must use their OKTA for their own users.
We would like to automate getting a group of users inside the OKTA idp that can update our AzureAD so the partners users are added as guest users like B2B.
If user is terminated on Partners OKTA then that termination must update our AAD so to prevent the user from having / gaining access after termination. Also , if partner adds user to the spesific group in Okta that user is updated on our AAD without any human actions on our end.

Hi @Skully1410  I am also looking to integrate one of my partner who is using Okta but not Azure, with my Azure ad and provide access to my enterprises application. 
since I'm new to Azure and okta I have no idea to achieve this, so please guide/provide steps to intergrade if you got integrated successfully.

@Skully, your proposed solution of using B2B is the best way to go. To reduce the admin overhead, you can automate using Access packages to certain application. For the terminated users, I would suggest using Access review feature, where if the user is inactive, let's say 30 days, you take away the rights. This will ensure whoever is using keeps the access. Try using direct connect feature if that is applicable in your situation.B2B direct connect overview - Azure AD - Microsoft Entra | Microsoft Docs
For the question on Okta auth flow being used by partner for your tenant's resources/ App when you are using Azure AD for authentication, that's not possible since they are sign-in into your tenant, and can only be authenticated to Azure.