Microsoft Azure Active Directory (Azure AD) is the cloud-based directory and identity management service that Microsoft requires for single sign-on to cloud applications like Office 365. All Office 365 users — whether from Active Directory or other user stores — need to be provisioned into Azure AD first.
Microsoft provides a set of tools for provisioning users from Active Directory into Azure AD: Active Directory Federation Services (AD FS), Azure AD Connect (DirSync), and Microsoft Identity Manager (previously Forefront Identity Manager). These tools have gradually improved over time, but require deploying, configuring, and managing significant server resources. Each service is also completely unaware of the other — and of the Azure AD cloud service — and requires individual configuration and integration.
Getting users into Azure Active Directory doesn’t have to be a burden for IT. Okta’s custom integration with Office 365 provisions user identities and attributes from Active Directory into Azure AD simply and securely. Customers not using on-premises Active Directory can provision users into Azure Active Directory through Okta’s cloud-based Universal Directory.
Advanced management for Azure AD-only environments
For Azure AD-only environments with no on-premises Active Directory, provisioning and deprovisioning users can be a challenge — especially when Human Capital Management (HCM) systems like Workday, UltiPro, or SuccessFactors serve as the primary source to create and maintain employee profiles. Okta solves these challenges with enhanced offboarding workflows that can block user sign-in to Azure AD and remove Microsoft licenses — even those provisioned into Azure AD from HCM systems.
Manage access based on context
Azure AD Premium has a feature called EMS Conditional Access that enables an administrator to configure access based on a number of conditions. Okta’s own Contextual Access Management provides a high degree of security, visibility, and control over application access, while enabling organizations to continue to use the free Azure AD license.
Okta Contextual Access Management reduces risk by managing how users and devices gain access to corporate resources. Through a combination of Adaptive Multi-Factor Authentication and Device Trust enrollment policies, Okta ensures only approved users and devices can access corporate-owned applications and data. With Okta, organizations can enforce granular access control to thousands of applications, and for the most commonly used devices.
Okta Adaptive Multi-Factor Authentication
Adaptive MFA lets an administrator choose whether to allow access, require step-up authentication, deny access, or restrict the scope of a user’s access to certain applications. These decisions are based not just on passwords, security questions, and tokens, but on who the user is, what network or country they are connecting from, and what device they are using.
Okta Device Trust
Okta has created a simple yet powerful solution called Device Trust that prevents unmanaged devices from accessing applications integrated with Okta and Azure Active Directory. Okta can check if Windows devices are joined to a Windows domain, and if there is a policy to deny access to unmanaged devices. It can also require an unmanaged Mac or iOS device to enroll into Intune or a third-party mobile device management solution.
Integration with Azure AD Premium Conditional Access
Customers choosing to use Azure AD Premium Conditional Access can get complementary security using Okta as the identity provider. For example, organizations that support iOS, MacOS, or Android devices can rely on Okta to send the device a multi-factor authentication challenge, and require the device to enroll in a mobile device management solution before being granted access.
Okta's cloud-based identity solution offers pre-configured single sign-on, provisioning, lifecycle management and security to thousands applications, infrastructure, and devices in the Okta Integration Network. Okta handles identity reliably and securely for more SaaS and web applications than any other Identity Provider.