Successful Exchange Hybrid Migration – Okta Coexistence

By Chris King – Director of Migration Services


Thanks to unprecedented growth in the SaaS model, we receive frequent requests to deploy technologies that replace or supplement native Microsoft cloud services. Two of the most complex, yet popular of such technologies are Okta identity management services and Exchange Hybrid mail servers. Here I’d like to provide insight regarding the deployment of both offerings in a single environment, as there is currently little documentation available.

To understand the complexities of Exchange Hybrid and Okta coexistence, one must first understand a few basic concepts. I will cover only key points that would affect an Okta/Exchange Hybrid coexistence. Your focus should remain on how identity and authentication are handled between the various directories I describe.
The Microsoft cloud has had many names, but I find it best to think of the entire offering as Microsoft Azure. Similar to traditional Active Directory Domain Services (AD DS), Azure Active Directory (Azure AD) is a dynamic directory service which contains and handles identity management for all Azure services. When you sign up for any Azure service, you automatically get the free version of Azure AD. Microsoft 365 (previously Office 365) is a SaaS offering that falls under the Azure umbrella and thus leverages Azure AD to store objects and credentials. Identities can be created in Azure AD in a number of ways, including being synced from other directories.

An Exchange Hybrid deployment assumes that AD DS and Exchange Server are deployed on-premises while Exchange Online is hydrated in Office 365. As a documented prerequisite, Exchange Hybrid requires the syncing of AD DS mail-enabled objects (and their key attributes) to Azure AD. This configuration provides the backbone for the entire Hybrid Exchange feature set. Microsoft states that the sync must be performed via their free Azure AD Connect tool. Later I will explain why the strict use of Azure AD Connect is a support requirement rather than a technical requirement. Depending upon how AD Connect is configured, cloud object authentication requests can be handled by Azure AD or AD DS, but since Okta is in the picture the assumption will be that authentication will be redirected to Okta. On-premises objects can authenticate to Okta or AD DS.

Comparing Azure AD Connect sync to Okta User Provisioning in preparation for Exchange Hybrid

Okta offers a suite of cloud services based around the concept of federated identity. Okta is not associated with Microsoft but their increasingly popular solutions are designed to work with Microsoft and many other vendors. Such solutions include Single Sign-On (SSO), Multi-Factor Authentication (MFA), object provisioning, lifecycle management, and directory services. Universal Directory (UD) is Okta’s cloud-based directory service which stores users, groups, and credentials just like AD DS or Azure AD. Pairing Okta’s User Provisioning service with UD allows users and groups from UD to be synced to Azure AD or to the directories of other hosted apps, like Salesforce or Docusign. Some organizations sync AD DS users into UD and then sync those same users from UD into Azure AD. Users leveraging services associated with Okta generally authenticate to Okta as well.

Conflicts of Interest

With the above concepts in mind, there is one key question to keep in mind: are the appropriate attributes being written to the appropriate directories?

A specific list of AD DS attributes must be synced to Azure AD for basic Exchange Hybrid features to function. A short list of additional attributes must be written back to AD DS from Azure AD for a few advanced Exchange Hybrid features to function. How you handle the syncing is up to you (Azure AD Connect or Okta User Provisioning?). Here are some things to keep in mind:

• An Azure AD Connect and Okta comparison is not “apples to apples”; it’s more like “strawberry to bunch of delicious grapes”.

• Azure AD Connect is the ideal way to go since it’s designed to sync all the key attributes of Exchange Hybrid and is fully supported by Microsoft. Unfortunately, AD Connect does not offer license provisioning or any form of lifecycle management. It does one thing well: sync security principal objects.

• Okta User Provisioning offers both object and license provisioning and ties in well with lifecycle management and other Okta services. Unfortunately, Microsoft will not support this sync scenario and Okta has no out-of-box Exchange Hybrid setting. To get the correct attributes syncing, the UD sync rules must be customized appropriately. This is usually handled by costly Okta consulting services, as customizations are not covered by support contracts.

• Okta is known for using confusing terminology which does not conform to industry standard. Their documentation can also be hard to come by. In other words, if you’re looking to save a buck by attempting Okta customization yourself, it’s not for the faint of heart.

• Okta sync stability has been a concern with many of our customers, thus prompting a switch to AD Connect.

• AD Connect can be run concurrently with all Okta Okta services. That having been said, it is not ideal to have more than one service writing objects to the same directory unless objects are separated at an organizational or logical level.

Questions and Answers

– What if my organization already has Okta User Provisioning deployed?

Depending upon your budget and existing Okta services,, a switch to Azure AD Connect is most likely in your best interests.

What if my organization already has Exchange Hybrid deployed and now we want to deploy Okta?

You should have no issues deploying any Okta services as long as you continue to utilize Azure AD Connect rather than Okta User Provisioning.

– Will our Okta services like Single Sign-On and MFA work if I use AD Connect to provision users into Azure AD?

Yes, assuming Okta and Universal Directory are configured correctly.

– Will Enclyne assist with our deployment?

We would love to help! Our consultants are here to guide your organization through to a successful Exchange Hybrid/Okta coexistence. If Okta is already an essential part of your business, or perhaps you’re considering a new integration, we will help find the best solution for you. Exchange Hybrid is our bread and butter and we would love to add you to our list of satisfied Microsoft 365 customers.