Provisioning options for Office 365

This topic explains different provisioning options available for an Office 365 app instance in Okta.

  • For Universal Sync, the Okta admin needs permission to manage not only the Office 365 app but also Active Directory.
  • Universal Sync doesn’t support JIT-enabled Active Directory instances.
  • Provisioning passwords isn't supported for federated users.
Operations supported Provisioning options
Licenses and Roles Management Only Profile Sync User Sync Universal Sync1
Provision Users
Push licenses and roles Y Y Y Y
Create user N Y Y Y
Deactivate user Y Y Y Y
Edit user directly from within Office 365 Y2 Y N3 N4
Sync profile attributes5
Sync basic user profile attributes N Y6 Y Y
Sync limited number of extended attributes in addition to the basic attributes N N Y Y
Sync all extended attributes N N N Y
Sync Active Directory groups and resources7
Sync security groups N N N Y
Sync contacts N N N Y
Sync distribution lists N N N Y
Sync resource mailboxes N N N Y
  • User Sync and Universal Sync can’t be used with Directory Synchronization, Azure Active Directory (AAD) Sync, or Azure Active Directory Connect.
  • Once you select User Sync or Universal Sync, you can’t change your selection back to Profile Sync, unless your org has the Microsoft Graph API feature enabled.
  • Exchange Hybrid isn’t currently supported.