Okta AD Integration with Azure AD Domain Services

1. Introduction

This is a experimental article, using a existing Azure Active Directory (AD) and Azure Active Directory (AD) Domain Services deployment and integrating it with a Okta solution.

2. Preparation tasks

• Azure AD
  • Related Article – Getting started with Azure Active Directory Free Edition
• Azure AD Domain Services
  • Related Article – Azure AD Domain Services Quick Install
• Azure VM domain Joined to Azure AD Domain Services
• Okta Free 30 day trail
• Create a Service Account in Azure AD (Okta AD agent will run under this account)

3. Assumptions

The following assumptions are made in following this article:

• Windows 2012 R2 Member server of the  Azure AD Domain Services
• The member server has internet access
• Okta free trail without any modifications made

 

4. Installation

4.1 Create Service Account in Azure AD

1. Log into Azure AD, Go to Users and Click “ADD USER“
2.  In “Type of user“, Choose “New user  in your organization“
3. In “User Name”, Use company Service Account Name convention e.g. okta
4. 
5. In “First Name“, “Last Name” and “Display Name“, Enter Okta
6. In “Role”, Choose “User”
7. Create a temporary password, and document the password for next step.
8. Go to http://portal.office.com, Login as the new user and set the password.
9. The default password expiry is set on the account and should be disabled by using Azure AD PowerShell.

4.2 Okta AD Agent Install

Please follow theses steps for integrating Azure AD Domain services with Okta:

1. Log onto the Domain joined Server that will run the Okta Agent
2. Go to your okta administrator url e.g. https://<Company>-admin.okta.com/admin/dashboard
3. On the top navigation bar, go to Security, Authentication
4. 
5. Click “Configure Active Directory“
6. 
7. Click, “Set Up Active Directory“
8. 
9. Click, “Download Agent“
10. 
11. Once the agent is finished downloading, run the installation.
12. In the Welcome screen, Click “Next“
13. 
14. Choose the path for the installation and click “Install“
15. In The Domain field, enter company domain and click “Next” e.g. schmarr.com
16. Choose “Use an alternate account that I specify“
17. Enter username and password and click “Next“
18. At Okta AD agent Proxy Configuration, Click “Next“
19. At Register Okta AD Agent, Choose Production and in “Enter Subdomain” add company name.
20. Click “Next“
21. Sign in with your Okta Admin Account
22. Click “Allow Access“
23. Agent Installed, Click “Next”
24. As an Example choose the following in “Basic Setting“
25. 
26. Click “Next“
27. Click “Next“
28. In “Select the attributes to build your Okta User profile“, Click “Next“
29. Done
30. 

Conclusion

The ability to add SaaS applications in Azure AD and Okta, Azure AD being the Identity store for both.

Advertisement

Filtering on Azure AD Connect

Introduction

This article will add a filter for Azure AD Connect for only syncing user accounts that have a valid email address. Additional options may be required by the organization and more detail can be found here.

Preparation Tasks

The following tasks should be completed before starting the process:

1. Azure AD Connect is installed and configured – see “Getting Started with Azure AD Free Edtion“
2. Administrator Access for Azure AD Connect Server

Adding the Filter

The following tasks should be preformed on the Azure AD Connect Server:

Disable scheduled task

To disable the scheduled task which will trigger a synchronization cycle every 3 hours, follow these steps:

1. Start Task Scheduler from the start menu.
2. Directly under Task Scheduler Library find the task named Azure AD Sync Scheduler, right-click and select Disable.
   
3. You can now make configuration changes and run the sync engine manually from the synchronization service manager console.

After you have completed all your filtering changes, don’t forget to come back and Enable the task again.

1. Open “Synchronization Rules Editor“
2. Click “Inbound“
3. 
4. Find “In From AD – User Join” rule, click “Edit“
5. 
6. Click “Yes“
7. In “Precedence“, enter “500“
8. Click “Next“
9. Only include user that a have email address
   1. Click “Add clause“
   2. Attribute Field choose “mail“
   3. Operator field choose “ISNOTNULL“
   4. 
10. Add Company email domain (Optional – checking if user have a email address solves most cases)
    1. This rule assumes you only have one email domain, will not work for multi-domain
    2. Click “Add clause“
    3. Attribute Field choose “mail“
    4. Operator field choose “ENDSWITH“
    5. Value enter “<email>.<domain-name>”
    6. 
11. Apply and Verify changes
12. Enable Scheduled task

Conclusion

Completion of this article, the organization will only sync user accounts that have a valid email address into Azure AD.