Introduction

Okta's Anything-as-a-Source (hereafter referred to as XaaS) is a framework that allows any data source to be used as Okta's "trusted identity source." While identity sources were previously limited to Active Directory, CSV files, and some HR systems, XaaS makes it possible to integrate with any data source.

This time, we set Microsoft Entra ID (formerly Azure AD) as the account source for Okta and verified how to implement user synchronization using Okta Workflows.

What is XaaS (Anything as a Source)?

XaaS is a strategic foundation for leveraging all of your company's talent data. The Identity Sources API, combined with Okta Workflows, enables integration from any data source into Okta.

Issues with conventional API implementation

Conventional API implementations have limited scalability due to inefficient logic implementation and complexity caused by individual CRUD operations.

• Complexity and inefficiency: Inefficient logic implementation due to separate CRUD operations
• Rate limiting issue: API limitations when syncing a large number of users (tens of thousands to hundreds of thousands)
• Difficulty in differential synchronization: Difficulty in implementing incremental update logic
• Complex error handling: Difficult to handle timeouts, network errors, and track synchronization status

Solving problems with XaaS

Significant reduction in API execution count

With conventional individual API calls, processing 10,000 users required at least 10,000 API calls, but with XaaS, processing can be completed with approximately 50 API calls (a 99.5% reduction).

Efficient batch processing

• Approximately 200 users can be processed per request (200KB data limit)
• A maximum of 10,000 users can be handled in one session
• Avoid API rate limits with session-based batching

Identity Sources API Specification

XaaS implementation uses the Identity Sources API and can be implemented simply in the following three steps:

• Step 1: Create a session
  POST /api/v1/identity-sources/{identitySourceId}/sessions
  Create an import session. The session is valid for 24 hours, and the next session can be created every 5 minutes.
• Step 2: Bulk User Load
  POST /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert
  User data is loaded in batches. Each request can be up to 200KB (approximately 200 users), and a maximum of 50 requests per session (10,000 users). CREATE/UPDATE is automatically determined using the externalId as a key.
• Step 3: Session triggers
  POST /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import
  Start the import process and Okta will create, update, and disable users in the background.

Example of a configuration where Entra ID is the account source

We retrieve the users of the synchronization target group from Entra ID, create a session with Okta Workflows, and import them into Okta in batches of 200 users.

Custom Identity Source Setup Procedure

• Search for "Custom Identity Source" in the app integration catalog
• Click "Add Integration"
  
• Enable "Enable API Integration" in the Provisioning tab
  
• Select "To Okta" and specify the behavior when importing
  
• Add required attributes in the Profile Editor
  
• Register the app and set API permissions on the Entra ID side (details omitted here)

Workflows

Implement the following steps in Okta Workflows:

*Please feel free to contact us for details of the specific flow.

Summary

In this blog, we introduced integration with Microsoft Entra ID using Okta XaaS (Anything-as-a-Source).

XaaS solves the challenges of traditional API implementations and enables efficient user synchronization. Large-scale user management is made easy with a 99.5% reduction in API calls, automatic external ID detection, and session-based batch processing.

If you are interested in integrating with Entra ID or other data sources, please contact us.