External Authentication Method (EAM) with Okta via Entra ID

MFA 3 Minutes

What is External Authentication Method (EAM)?

An external authentication method (EAM) lets users choose an external provider to meet multifactor authentication (MFA) requirements when they sign in to Microsoft Entra ID. An EAM can satisfy MFA requirements from Conditional Access policies, Microsoft Entra ID Protection risk-based Conditional Access policies, Privileged Identity Management (PIM) activation, and when the application itself requires MFA. – https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage

Why does this matter?

Most organisations may have Entra ID-managed users and use Okta as their primary identity provider (IDP). Rather than having to manage and use disparate authenticators (e.g. Windows Hello, Okta Verify, etc), EAM will be able to allow Entra ID to leverage Okta as an MFA provider.

Through this capability, this mechanism allows streamlining of MFA migration from Microsoft Entra ID to Okta where end users can leverage Okta as the MFA even if they haven’t federated their Office 365/Entra ID tenant to Okta.

This also addresses the question in this support article – https://support.okta.com/help/s/question/0D54z0000AFr85vCQB/okta-as-eam-external-access-method-to-meet-the-mfa-requirement-of-microsoft-entra-id?language=en_US

In this blog post, I’ll show you how to configure Okta as the EAM for Entra ID.

Configuration Steps

This requires you to enable an Early Access feature from Okta. The actual Okta help documentation can be found here – https://help.okta.com/oie/en-us/content/topics/apps/configure-okta-as-microsoft-entra-id-eam.htm

Pre-requisites:

You would need the following environment:

  1. Okta tenant that has MFA features/SKU enabled
  2. Entra ID tenant which has P1/P2 subscription enabled
  3. A user that exists in Okta & Entra ID

Early Access Feature required for this article

Steps to configure

Step 1: Onboard the Microsoft External Authentication Method application from the Okta Integration Network.

Step 2: Provide your MIcrosoft Entra Tenant ID and Application ID. This can be achieved by on-boarding an Application Registration within your Entra ID Administrator portal/console. For this example, I’m using a standard Entra ID tenant, hence we’ll use Global Azure. The configuration also supports other Entra Tenants. Once you’re done supplying the required information, click Save.

Within Entra ID/Azure Admin portal:

When creating the App registration, choose WEB Platform & set the Redirect URI to https://<okta domain>.okta|oktapreview.com/oauth2/v1/authorize

Step 3: Assign the user within the Microsoft External Authentication application. For this example, I’m manually assigning the user.

When assigning a user, it will ask you to supply a Microsoft User ID

To map the User ID, Okta’s help documentation recommends using Okta APIs or Okta workflows to pull the said data from your Entra ID tenant.

For this example, I’ll manually fetch this data from the Entra ID User portal for the said test user, copy the value, and paste it manually into Okta. Navigate to the users details page within Entra ID and refer to the Object ID which refers to the Microsoft User ID.

Click Save and Go Back.

Step 4: Within Entra ID, configure Okta as an EAM.

Navigate to Security->Authentication Method->Policies

Click + Add External Method (Preview)

Configure the necessary endpoints

Client ID is the Microsoft External Authentication Method Application ID from Okta.

Discovery Endpoint is https://<org-name>.okta.com/.well-known/openid-configuration?client_id=<client id>.

App ID will be the App registration ID you created in Entra ID App registration earlier.

You must also provide Entra ID admin consent as part of the onboarding process.

For this example, I’ll only apply the EAM to a set of users within Entra ID, and this is done through Entra ID groups.

Step 5: To fully test this feature/policy, we will create a conditional access policy within Entra that requires the EAM to be enforced.

Step 6: Time to test it out.

Access any application that is federated with Entra ID. Choose your Test User configured to use EAM.

Login with Password.

Rather than using Microsoft Authenticator as MFA, we will click I can’t use my Microsoft Authentication app right now.

Let’s select Approve with Okta EAM

This will redirect you to your Okta instance and for this example, I’ll use Okta Verify Push

Once I’m done verifying my MFA via Okta, I’ll be redirected back to Entra

You’re now logged in.

You’re finished!

Published by jeffhawthearchitect

Jefferson works as a Zero Trust Architect at Okta and has established himself as a trusted advisor among existing and new Okta customers throughout ANZ and APJ. Jefferson provides consultative solutions on how organisations can secure the different identities that exist within their ecosystem in a frictionless approach. Before Okta, he has worked with multiple technology vendor organisations thus allowing him to use his knowledge breadth on how companies can adopt to a Zero Trust Architecture model.

Published

Leave a Reply