Add Okta as external IdP for External Entra and create a just in time profile in Entra

vinoth B 0 Reputation points
2026-07-01T01:51:10.86+00:00

Context : We are trying to setup a Okta as external IdP for External Entra ID and create a just in time profile in Entra after the authentication. Would like to know if that is feasible and auth flow below. Appriciate your guidence.

Auth Flow:

Step 1: User Initiates Login at Your App

A customer access App and clicks "Sign In” or clicks the Sign in URL directly.

The app sends an authentication request to your Microsoft Entra External ID tenant with Domain Hint.

Step 2: Redirection from Entra to Okta

Entra ID recognizes Okta as a trusted federated IdP.

Entra intercepts the request and securely redirects the user's browser over to the Okta Authorization Endpoint.

Step 3: Okta Authenticates the Customer

The user lands on your Okta login page.

User enter their username and password. Okta evaluates its policies and triggers Multi-Factor Authentication (MFA).

Once authenticated, Okta generates a temporary, short-lived Authorization Code.

Okta redirects the user's browser back to the Microsoft Entra redirect URI. The browser carries that temporary authorization code in the URL back to Entra.

Step 4: Entra Validates the Token Exchange

Entra ID receives the authorization code from the browser and performs the validation and keeps the login secure.

Step 5: Profile Creation and Session Issuance

Just-In-Time (JIT) Provisioning: Entra verifies Okta's digital signature on the ID token. It looks at the unique sub identifier claim.

If it's a first-time user: Entra extracts the mapped profile attributes (email, name) and instantly creates a new user record in the Entra directory.

If the user already exists: Entra locates the existing local profile matching that Okta identifier.

Microsoft Entra marks the user session as successfully authenticated.

Finally, Entra issues its own local OIDC token and redirects the customer back to application. application reads the Entra claims, and the user is successfully logged in.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.