Provisioning options for Office 365
This topic explains different provisioning options available for an Office 365 app instance in Okta.
Note:
- For Universal Sync, the Okta admin needs permission to manage not only the Office 365 app but also Active Directory.
- Universal Sync doesn't support JIT-enabled Active Directory instances.
- Provisioning passwords isn't supported for federated users.
- Licenses and Roles Management Only doesn't support Immutable ID. If SSO is enabled, create a different Office 365 app instance to enable provisioning.
| Operations supported | Licenses and Roles Management Only | Profile Sync | User Sync | Universal Sync1 |
|---|---|---|---|---|
| Provision Users | ||||
| Push licenses and roles | Y | Y | Y | Y |
| Create user | N | Y | Y | Y |
| Deactivate user | Y | Y | Y | Y |
| Edit user directly from within Office 365 | Y2 | Y | N3 | N4 |
| Sync profile attributes 5 | ||||
| Sync basic user profile attributes | N | Y6 | Y | Y |
| Sync a limited number of extended attributes in addition to the basic attributes | N | N | Y | Y |
| Sync all extended attributes | N | N | N | Y |
| Sync Active Directory groups and resources 7 | ||||
| Sync security groups | N | N | N | Y |
| Sync contacts | N | N | N | Y |
| Sync distribution lists | N | N | N | Y |
| Sync resource mailboxes | N | N | N | Y |
CAUTION:
- User Sync and Universal Sync can't be used with Directory Synchronization, Microsoft Entra ID Sync, or Microsoft Entra ID Connect.
- Once you select User Sync or Universal Sync, you can't change your selection back to Profile Sync, unless your org has the Microsoft Graph API feature enabled.
- Exchange hybrid isn't currently supported.
1 Universal Sync doesn't support JIT-enabled Active Directory instances.
2 Not available with Microsoft Entra ID Connect or Directory Synchronization.
3 Users can no longer be edited directly from within Office 365. Changes must happen at the source of truth and be synced across.
4 Users can no longer be edited directly from within Office 365. Changes must occur at the source of truth and be synced across.
6 Username can't be changed through Profile Sync.
7 To sync groups from other directory services and apps to Office 365, configure Group Push. Configure provisioning and user assignments before pushing groups to Office 365. See Using Group Push.