Hybrid AAD Join with Okta as Identity Provider

Okta (https://www.okta.com ) offers access and authentication management capabilities just like Microsoft with Azure AD. A current scenario that continues to cause problems is the combination of both solutions: Hybrid AAD Join with Okta as Identity Provider.

In general, the combination of Azure AD and Okta works. Okta provides various HowTo articles, FAQ and whitepapers on this. For example Add Office 365 to Okta or, focusing hybrid AAD Join with Okta as Identity Provider, this:

• Hybrid AAD Join with Okta as your Federation Provider FAQ
• Using Okta for Hybrid Microsoft AAD Join
• Okta’s identity and access management solutions are compatible with Windows 10
• This PDF document describes the settings in the Okta system: Okta + Windows 10 Azure AD Join

However, there is another option to continue using Okta as an identity provider and to register devices in Azure AD independently. In the end, this was the solution that worked for us in a project with a customer, because the following options can only be used when a device is registered in Azure AD:

• Endpoint Manger / Microsoft Intune
• Windows Hello for Business
• Windows Autopilot
• Conditional Access Policies
• Etc.

Configure hybrid Azure Active Directory join bypassing Okta

When Okta is used as the identity provider, all authentication requests use the Okta service. This is also true when a device wants to authenticate or tries to join Azure AD.

This Microsoft tutorial describes step-by-step how to setup a hybrid Azure AD join: Configure hybrid Azure Active Directory join for managed domains

Here are the steps to „Configure hybrid Azure Active Directory join bypassing Okta“:

1. Changed the Service Connection Point configuration in Azure AD Connect to Azure AD:

2. Set machine proxy configuration on Win10 device: Win10 (1709 and later) tries to complete the hybrid Azure AD join via a scheduled task. This is done in the machine context. To get this done a machine proxy is needed. This can be done via netsh winhttp set proxy proxy:port. You can also do it using a GPO in local Active Directory: https://support.microsoft.com/en-us/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients

3. Configure the auto-enrollment Group Policy for a single PC. The necessary change here is:  Change the policy from device to user credentials: https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#configure-the-auto-enrollment-group-policy-for-a-single-pc

At the end Okta is no longer involved if a device joins Azure AD but still the Identity Provider if a user is doing a log-in to Office 365.