This week I have been supporting client that already has a Office365 Tenant with account synchronized using Okta Universal Sync. The client would like migrate the mailboxes and stablish an Exchange Hybrid. While the client requested that they wanted to avoid using AADConnect and would like to keep using Okta Universal Sync. There are some consideration we need to take into account.
- Microsoft does not support an Exchange Hybrid deployment that does not have AADConnect (DirSync legacy) to syncronize the AD objects.
- Okta does not recommend using the Okta Universal Sync if there is a hybrid Exchange.
- Okta can still be used as the authentication/federation platform.
From Okta Documentation (Okta Office 365 Deployment Guide)
“It is important to note that if another technology is performing the synchronization of accounts to Office 365, and Okta is handling the federation for authentication, you need to ensure the Okta account usernames match the Office 365 usernames. This can easily be configured in Okta using Universal Directory attribute expression, this is described later in this document. During migration to Office 365, some organizations find the need to instantiate an Exchange Hybrid configuration. in doing so, it is likely that you have one of Microsoft’s technologies performing part of the directory synchronization, DirSync, AADConnect or Forefront Identity Manager (FIM). Whilst in these Hybrid deployments, Okta cannot replace the need for these tools and instead can be
used directly alongside for single sign-on and role and license management.”