Forum Discussion

RIGAN25's avatar
RIGAN25
Copper Contributor
Mar 31, 2020

Hybrid Azure AD Join + Okta Federation

Implemented Hybrid Azure AD Joined with Okta Federation and MFA initiated from Okta. Trying to implement Device Based Conditional Access Policy to access Office 365, however, getting Correlation ID ...
Azure Active Directory (AAD)
RIGAN25's avatar
RIGAN25
Copper Contributor
Apr 16, 2020
Yes my device is showing Hybrid in the cloud. Thanks for pointing out to me the logs for AAD.
garry790's avatar
garry790
Copper Contributor
Jun 12, 2020

RIGAN25 Hi - did you ever find a solution to your Azure PRT issue while federated with OKTA? We have exactly the same problem while federated with RSA.

  • RIGAN25's avatar
    RIGAN25
    Copper Contributor
    Jun 14, 2020

    garry790 : Yes, Gary, we did rolled out this process using controlled validation, and instead of using federated domain, used Initial Domain which is Microsoft Provided domain: .onmicrosoft.com

     

    • Kav77's avatar
      Kav77
      Copper Contributor
      Aug 25, 2020
      Hi RIGAN25, can you elaborate on this? I have the exact same problem, federated with Okta and wanting to use conditional access policies using hybrid joined devices.

      They are failing the CA policy because AzureAdPrt = NO.
      • RIGAN25's avatar
        RIGAN25
        Copper Contributor
        Aug 25, 2020

        Kav77 Providing you details about this:
        Please follow controlled HYAADJ rollout using Group Policy Object.
        The only change you need to perform related to GPO object is the Tenant.

        Use Tenant domain : domain.onmicrosoft.com and not the custom domain name verified to the tenant.

        Also, the reason where you see AzureAD PRT = NO, is related to device where Windows device login work on Legacy Auth, so please create a Rule in Okta to allow legacy auth to the PRT token.

        Be sure that device is able to communicate to DC and Internet while performing the device registration process.