How to map both UserPrincipalName and Email address from Okta to Druva
Note: Applicable if you are syncing Okta users with Microsoft 365 and are backing up Exchange Online and OneDrive with inSync Cloud.
Microsoft has the following requirements for backing up Exchange Online and OneDrive:
inSync should provide the email ID matching with the Microsoft 365 UPN to backup OneDrive.
The email ID should match with either the UPN, SMTP, or Aliases in Microsoft 365 to backup Exchange Online. However, to restore Exchange Online mailbox from inSync to Microsoft 365, the email ID must match with the SMTP address in Microsoft 365.
On the inSync Management Console, the email ID sent to Microsoft 365 during the backup operations depends on the Access user account using setting. This setting is accessible from the inSync Management Console -> Microsoft 365 -> Overview page. Click on More icon at top right corner and click Settings.
If you select inSync email ID value, then inSync will use the email address that is available on the inSync Management Console -> Users -> user’s account to access the Microsoft 365 data.
If you select AD Attribute value, then inSync will search for the value in the database and send it to Microsoft.
The AD Attribute can only be updated in inSync database by mapping the correct attribute and importing the user from an Identity provided to inSync. In this case, it is OKTA to Druva user import. This cannot be updated manually by the inSync Admins.
Hence, if inSync email ID has a mismatch with UPN in Microsoft 365, then the OneDrive backup will fail with EUSERNOTFOUND error.
If inSync email ID matches with UPN in Microsoft 365, but does not match with the SMTP in O365, then the Exchange Online restore activities will fail.
inSync should have the Microsoft 365 SMTP address in the inSync email ID field.
In addition, inSync should have the Microsoft 365 UPN address in the AD Attribute field in the bac-end, which is to be mapped from Okta.
Microsoft 365 setting in the inSync for the Access User Account using field should be set to AD Attribute.
This can be achieved by mapping the login name with AD attribute in inSync and the SMTP with inSync email ID from Okta to Druva and then importing the users from OKTA.
If you have already imported users from Okta to Druva and their UPN were mapped with inSync email address at the time of import, then do not implement the below steps directly.
This is because, after the below steps, since the SMTP will not match with the existing inSync email address, OKTA will not update existing users in inSync, and send them as new users. Hence, as soon as you implement the below steps, the SMTP from OKTA will be sent to inSync, and inSync will treat it as a new user. This will lead to duplicate accounts creation for each user in inSync.
In this case, ensure to change the inSync email address of each user to match with their corresponding SMTP address in OKTA. If the list of users is too large to update manually, then contact Support for further assistance.
You can only then implement the below steps, which will help Okta to update the UPN in inSync database.
On the Okta Admin Console, click on the Directory tab.
Click on the Profile Editor.
Click Profile in the Druva Provisioning App.
4. Click Add Attribute.
5. Add the userPrincipalName attribute as follows:
- Data type: String
- Display Name: UPN
- Variable Name: userPrincipalName
- External Name: userPrincipalName
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
You can keep the remaining values to default or blank. Sample screenshot:
6. Save the attribute.
Note: Once you save it, you will find it in the list of attributes. Click on the pencil icon to verify the changes. You will notice that the variable name is changed automatically to druva_v2.userPrincipalName, which is expected behavior.
7. Click Mapping.
8. click Okta User to Druva 2.0
9. Click Override with mapping.
10. Select the following mappings.
Note: Leave the Display Name Mapping to default.
As per these settings, Okta's user.login (UPN) will be mapped with Druva’s custom attribute for userPrincipalName attribute created previously. In addition, Okta’s user.email (SMTP address) will be mapped with Druva’s userName, which will be the inSync email address.
Change inSync settings to access user account in Microsoft 365
To ensure both OneDrive and Exchange Online continue to get backed up successfully, implement the following changes:
- On the inSync Management Console menu bar, click the icon to access the global navigation panel.
- Click SaaS Apps.
- Click Microsoft 365.
- Click Overview
- Click on the More icon next to the Reconfigure button.
- Click Settings.
7. Click on Access user accounts using dropdown and change it to AD Attribute.
8. Click Save.