Forum Discussion
Solved
Changing Azure AD Federation provider
Hi, We have a M365 tenant which is federated with Okta for Authentication. All user provisioning & authentication for M365 is handled by Okta. Okta in turn is federated to our On-Prem Active Direct...
I feel there are two challenges to solve:
- Making sure your colleagues synchronize correctly end-to-end.
- Switching federation with Okta to Azure AD Connect PTA.
The current setup keeps user objects in Active Directory in sync with user objects in Azure AD. To make sure the same objects on both ends are matched end-to-end, I'd recommend hard matching by setting the source anchor attributes on both ends. There's more information on end-to-end matching here. To avoid multiple synchronization engines writing to Azure AD and possible introducing last-write errors, I'd also recommend to use Staging Mode in Azure AD Connect when Okta still actively synchronizes.
From Azure AD's point of view, it doesn't matter which federation solution you use. Whether it's Okta, HelloID or PingFederate, you can use the staged roll-out feature with all of them.
Unnie Trying to get the situation here. So your Active Directory is not synced to AAD yet?
- AD it is not synced directly to Azure AD, but synced first to Okta & Okta later syncs user to Azure AD. Okta is acting as an intermediatary service between Azure AD & AD, I want to remove it and set up Azure AD connect for user sync and Pass thru cloud authentication.
Unnie That is something I have not dealt with so far, but I assumne you can set up your own Azure AD connect server as staging server to take over the running server from Okta. You have to take care of the source ancor, and be sure your accounts will soft match with the UPN suffix.
Sander Berkouwer ,might have some tips for you on this topic.
I feel there are two challenges to solve:
- Making sure your colleagues synchronize correctly end-to-end.
- Switching federation with Okta to Azure AD Connect PTA.
The current setup keeps user objects in Active Directory in sync with user objects in Azure AD. To make sure the same objects on both ends are matched end-to-end, I'd recommend hard matching by setting the source anchor attributes on both ends. There's more information on end-to-end matching here. To avoid multiple synchronization engines writing to Azure AD and possible introducing last-write errors, I'd also recommend to use Staging Mode in Azure AD Connect when Okta still actively synchronizes.
From Azure AD's point of view, it doesn't matter which federation solution you use. Whether it's Okta, HelloID or PingFederate, you can use the staged roll-out feature with all of them.
