Okta (https://www.okta.com ) offers access and authentication management capabilities just like Microsoft with Azure AD. A current scenario that continues to cause problems is the combination of both solutions: Hybrid AAD Join with Okta as Identity Provider.
In general, the combination of Azure AD and Okta works. Okta provides various HowTo articles, FAQ and whitepapers on this. For example Add Office 365 to Okta or, focusing hybrid AAD Join with Okta as Identity Provider, this:
- Hybrid AAD Join with Okta as your Federation Provider FAQ
- Using Okta for Hybrid Microsoft AAD Join
- Okta’s identity and access management solutions are compatible with Windows 10
- This PDF document describes the settings in the Okta system: Okta + Windows 10 Azure AD Join
- Endpoint Manger / Microsoft Intune
- Windows Hello for Business
- Windows Autopilot
- Conditional Access Policies
- Etc.
Configure hybrid Azure Active Directory join bypassing Okta
When Okta is used as the
identity provider, all authentication requests use the Okta service. This is
also true when a device wants to authenticate or tries to join Azure AD.
This Microsoft
tutorial describes step-by-step how to setup a hybrid Azure AD join: Configure
hybrid Azure Active Directory join for managed domains
Here are the steps to „Configure hybrid Azure Active Directory join bypassing Okta“:
1. Changed the Service Connection Point configuration in Azure AD Connect to Azure AD:
2. Set machine proxy configuration on Win10 device: Win10 (1709 and later) tries to complete the hybrid Azure AD join via a scheduled task. This is done in the machine context. To get this done a machine proxy is needed. This can be done via netsh winhttp set proxy proxy:port. You can also do it using a GPO in local Active Directory: https://support.microsoft.com/en-us/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients
3. Configure the auto-enrollment Group Policy for a single PC. The necessary change here is: Change the policy from device to user credentials: https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#configure-the-auto-enrollment-group-policy-for-a-single-pc
Keine Kommentare:
Kommentar veröffentlichen