Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Hybrid AD Join with Okta - SCP? possible? how?

Brass Contributor

Jgq85_0-1593192331739.png

  • I came across this SCP configuration step when turning on Hybrid AD Join options in our Azure AD Connect tool. 
  • I'm not sure what to choose here: Okta or Azure Active Directory? 
  • Okta doesn't sync computers as far as I know. I also can't get confirmation from Okta on what to chose. 
  • It this important? should I just experiment to see what happens?
  • My end goal here is to use InTune to manage devices and eventually get them off our domain and away from GPO. 
7 Replies
Don’t know much about Okta, but in regular native Azure AD environment, it default to Azure AD authentication and you don’t have to choose. I think you need to use Azure AD authentication, otherwise it wont work. You can test one pc by syncing specific OU- Use Synchronization Service to do that.

Is this important? Yes, if not enabled you can’t sync your PCs to the cloud, which means you can’t do hybrid join.

Hope this helps!
Moe

Hi @Moe_Kinani ,

Thanks for advice. How do I specify only certain computers? 

Is that through specifying the ccontainer/OU in the Sync Service manager ( Connectors > Domain > Properties > Configure Directory partitions > Containers)? 

You got it. I would create new OU->move the pc and sync it.

Lastly, you need to enroll the device with Intune so you can push policies to the device.

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatica...

Moe

@Jgq85 Did you ever figure this out?  Which one to pick?  We are in the same boat with Azure AD Federated by Okta and trying to set up the same thing.

@cyber-tk I am looking at the same situation here.  Wondering what you ended up doing for SCP selection?  *.okta.com, Azure AD, etc.

 

I want to convert my existing hybrid AD from having my devices AD Registered to AD Hybrid Joined and I'm confused around whether to just use the existing OKTA SCP in the ADConnect configuration or if I am overlooking something.

@MikeWardUSI 

If Azure AD is federated into Okta you need to select Okta as the authentication service rather than AAD when doing the SCP in AAD Connect.

If there is no federation you need to select AAD.

Hope that helps

I ended up choosing Azure AD Directory in my config and it is working well. Honestly, I don't see a big advantage for the hybrid set up, so we are now just moving all our new devices to Azure AD Joined only and set up up GP in Azure. If you do, do Azure AD joined or Hybrid Joined you do have to set up Okta so it can authenticate when joining new devices using this set up.

https://www.okta.com/resources/whitepaper/using-okta-for-hybrid-microsoft-aad-join/

Scroll down to the part where you see this and set up the Windows-AzureAD-Authentication-Provider/1.0 as the provider in Office 365. I have this set to only trusted networks. After it is joined people can still authenticate off the trusted networks. It seems to be just the initial join.