Validate password always against Azure AD through API

I know there is a password migration feature available in Okta to migrate the password using an API call.
This will make use of an external API which is called only for the first time and migrate the password from external provider to Okta password store.

What I need is I need to validate the password always through this API call and I don’t want to make the password as migrated in Okta.

Is there any way to achieve this?



It sounds like you are referring to password inline hook? If so once your hook service validates a user has entered a password correctly then that user migrates to a Okta user and will never be checked against the hook service again.

It sounds like instead of using a password inline hook you should just setup Azure AD as an external IdP in your Okta Org and these users can be Azure AD sourced.

Hi @erik,

Yes we are referring to password inline hook and it works the way you explained. We have already set up the Azure AD as external IDP. But client wants to do the way in which I have explained and they don’t want to redirect the user to azure login page and don’t want to migrate the password to Okta(There are some apps works directly with Azure AD login). Is there any way we can achieve this use case with Okta?

I know this is less secure and is not the standard solution, could you please provide some documentation outlining the IDP flow is the best solution?

With the token inline unfortunately there is no feature to override this behavior that I know of.
In order to successfully log a user into Okta the hook needs to return a success, at that time the user migrates to a Okta sourced user with a hashed password.

Currently there is no integration between Okta and external IdPs without doing a redirect.
Below is a link to the Azure Social IdP integration,

1 Like

Hi @erik Thanks for the confirmation.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.