Okta + Microsoft 365 integration
Set up Okta as the identity provider for Microsoft 365 via SAML + SCIM — where Okta federates into Entra ID for M365 sign-in (the classic dual-IdP pattern).
- Okta admin
- Microsoft 365 / Entra ID Global Admin
- Domain verified in both Okta + Entra
- PowerShell ability for federation switch
1. Create a new SAML 2.0 application in Okta
In the Okta admin console, create a new SAML 2.0 application. Choose "Web Application" type. Note the placeholders for ACS URL + Entity ID — you'll get these from Microsoft 365 in step 3.
2. Get the SAML metadata URL from Okta
Okta exposes the IdP metadata at a stable URL. Copy this URL — you'll paste it into Microsoft 365's SSO configuration. Alternatively, download the metadata XML if Microsoft 365 doesn't support URL-based metadata.
3. Configure SSO in Microsoft 365
In Microsoft 365's admin → security → SSO settings, paste the Okta metadata URL (or upload the XML). Microsoft 365 will display the ACS URL + Entity ID it expects — copy these.
4. Return to Okta + complete the SAML app config
Paste Microsoft 365's ACS URL into the Okta app's Single Sign-On URL field. Paste the Entity ID into the Audience URI field. Set the NameID format to EmailAddress (or persistent if Microsoft 365 expects that).
5. Configure attribute mapping
Map the attributes the SP expects (see the Attribute Mapping section below). At minimum, email is required. Most apps also expect firstName + lastName.
6. Assign users + groups
In Okta, assign the SAML app to users or groups that should have access. Test with a pilot group before broad rollout.
7. Test end-to-end
Sign in to Microsoft 365 via the IdP-initiated link (from Okta dashboard) AND via SP-initiated (direct Microsoft 365 login URL). Both should work. Check the SAML Tracer browser extension or SAML decoder to inspect the assertion if anything fails.
What flows from where.
| Source (Okta) | Target (Microsoft 365) | Note |
|---|---|---|
| user.email | NameID | persistent format |
| user.email | UPN | — |
| user.userPrincipalName | IDPEmail | — |
- Clock skew: Okta and Microsoft 365 clocks must be within ~5 minutes. NTP-sync both. SAML's NotBefore + NotOnOrAfter are strict.
- NameID format mismatches are the most common failure. Microsoft 365 typically wants EmailAddress; Okta defaults vary. Mismatch → cryptic "invalid assertion" errors.
- Just-in-time (JIT) provisioning vs SCIM: many apps support both. SAML JIT creates the user on first SSO; SCIM creates them ahead of time. Pick one — both can cause attribute drift.
- Audience restriction: Microsoft 365's expected Audience URI must match exactly what the IdP sends. Trailing slashes + protocol (http vs https) matter.
- Signed Response vs signed Assertion: many SPs require the Assertion to be signed (not just the Response envelope). Check the SP's docs.
- Federating a domain in Entra is one-way switch via PowerShell (`Set-MsolDomainAuthentication -Authentication Federated`). Plan for a coexistence window — partial federation is messy.
- IDPEmail claim must be base64-encoded ImmutableID for Entra; common config error.
- Microsoft graphical apps + Outlook desktop have known Modern Auth requirements. Older Office versions won't honor SAML federation.
- IdP-initiated SSO works (sign in from the IdP dashboard)
- SP-initiated SSO works (visit Microsoft 365 directly + get redirected to IdP)
- User attributes flow through correctly (email, name, groups)
- Logout (single logout if supported) works as expected
- Step-up MFA fires when policy requires it
- Unauthorized users (not assigned to the app) get a clean denied message
- Capture a successful SAML response and inspect it (use the SAML decoder tool)
For the latest vendor-side configuration changes, refer to:
Okta + Microsoft 365 federation →