haadj-and-intune-with-okta

HAADJ and Intune with OKTA

My question is the following, Is it possible to use OKTA(Third party) as an authentication/Identity provider with Hybrid Azure ID join tenant and enroll devices to Intune? We need to adjust our environment to be able to utilize Intune.

 

To elaborate, Please find the below:

 

-In this environment, We can run AD Sync and sync devices to Azure as Hybrid Azure ID joined.

Same steps required here: Configure Hybrid Join in Azure Active Directory | Okta

 – Sign in Settings in AD(Entra) Connect to “Do not configure” as recommended by Microsoft for Third party federation scenarios (Confirm if this the preferred scenario for AD connect with OKTA).

-Hybrid Entra ID join is currently being achieved with GPOs and not using SCP (Targeted deployment)

 -Autoenrollment to MDM is enabled via GPO and correctly distributed to device/user.

 Behavior:

-Devices show up in Azure however according to MS Intune pre-requisites, UPN in cloud and on-premises should match and mobility license should be assigned in cloud. The situation currently is the domain on-premises is contoso.com and users are provisioned via OKTA to cloud to have contosocorp.com, So upon login they get redirected to contosocorp.com thus having a mismatch in credentials. (in a test environment(without Okta), alternate UPN suffix in domains and trusts is added and UPN is changed to match cloud —> this worked).

 -In order for Intune to enroll devices, The login credential should match and a login event to the windows device must appear in Azure Sign in logs(This is confirmed as a pre-requisite by Microsoft), Which is not the case here.

 -Okta is set to Universal Sync which is not recommended by Okta as not compatible with AD sync according to the following https://help.okta.com/en-us/content/topics/provisioning/azure/haad-join/prereqs-haad.htm#Prerequi2.

AhmedSHMK_0-1715773247775.png

 

-If we do use both Okta and AD connect, a user will be provisioned twice in cloud, Once with the contoso.com(without Okta) and once using contosocorp.com(using Okta – will include licensing).

 

Questions are as following:

1-Any workarounds to use Intune to enroll devices without UPN matching in the current scenarios.

2-If we are to UPN match on Prem and cloud -> How can this be achieved without deprovisioning OKTA(Or removing Provisioning type: Universal sync)?

3-How can we avoid duplications (since both Okta and AD sync will provision users in 365)

 

Guidance will be very much appreciated. Thank you.

Similar Posts