Share via

Unable to add O365 API access to Okta

AugmentUser 0 Reputation points
2025-10-20T21:46:57.0166667+00:00

Hello,
We have a Google federated account setup in our current Entra tenant and we are trying to get Okta SSO setup for testing.

It looks like currently our existing admin account is setup under a sub-tenant and any new federated Google account that we create is going under that same sub tenant despite the user page showing as being in the correct place.

This results in a "Error AADSTS50020 - User account from identity provider does not exist in tenant" issue when trying to give Okta O365 API Access.

We are trying to avoid having to setup another Developer account just for this and would prefer to test this way with just a select few users, however unable to get around this issue currently.

Any advice is appreciated.

Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerald Felix 9,835 Reputation points
    2025-11-23T16:12:07.0966667+00:00

    Hello AugmentUser,

    Thanks for raising this question in Q&A forum.

    I understand that you are encountering error AADSTS50020 when attempting to grant Okta API access to Office 365 because your administrative account is federated via Google.

    You do not need to set up a new Developer account or a separate tenant for this. This error occurs because the API consent process for Okta often requires a native Azure AD identity (.onmicrosoft.com) to correctly issue the tokens, rather than a federated identity (Google) which is technically treated as an external user in this context.

    Here is the workaround to resolve this immediately within your current environment:

    Create a Cloud-Only Admin:

    Log in to the Microsoft Entra admin center using your current Google-federated account.

      Go to __Users__ > __Create new user__.
  
     __Crucial Step:__ For the domain, ensure you select your default `yourtenant.onmicrosoft.com` domain (do not use your custom Google-federated domain).
     
        Name the user something like `temp-admin` or `breakglass-admin`.
        
           Assign the __Global Administrator__ role to this new user.
           
           __Authorize in Okta:__
           
              Open an __Incognito/Private__ browser window (to ensure no cached Google session interferes).
              
                 Log in to your Okta Admin console.
                 
                    Go to the Office 365 App > __Provisioning__ > __Integration__.
                    
                       Click __Authenticate with Microsoft Office 365__.
                       
                          When prompted to sign in to Microsoft, use the __new cloud-only account__ you just created (`******@yourtenant.onmicrosoft.com`).

    This bypasses the federation handshake and allows the API token to be generated successfully against your existing tenant.

    If helps, approve the answer.

    Best Regards,

    Jerald Felix

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.