Introduction

This article is presented as a Macnica blog post, with technical cooperation, contributions, and commentary from NTT Docomo Business. For questions or to discuss implementation options, please contact Macnica first (we will provide support for implementation, design, and construction in cooperation with NTT Docomo Business).

Okta's Anything-as-a-Source (XaaS) is a framework that allows you to use any data source as a "trusted identity source" for Okta. Previously, identity sources were limited to Active Directory, CSV files, and some HR systems, but XaaS makes it possible to connect with any data source.
This time, we tested how to implement user synchronization using AWS Lambda by setting Microsoft Entra ID (formerly Azure AD) as the account source for Okta.

What is XaaS (Anything as a Source)?

XaaS is a strategic foundation for leveraging all of your company's talent data. The Identity Sources API, combined with Okta Workflows, enables integration from any data source into Okta.

Issues with conventional API implementation

Conventional API implementations have limited scalability due to inefficient logic implementation and complexity caused by individual CRUD operations.

• Complexity and inefficiency: Inefficient logic implementation due to separate CRUD operations
• Rate limiting issue: API limitations when syncing a large number of users (tens of thousands to hundreds of thousands)
• Difficulty in differential synchronization: Difficulty in implementing incremental update logic
• Complex error handling: Difficult to handle timeouts, network errors, and track synchronization status

What is AWS Lambda?

AWS Lambda is an AWS service that allows you to execute program code without having to prepare or manage your own server environment. It runs on the highly available and fault-tolerant AWS platform. Because it operates in multiple Availability Zones within each region, it can provide reliable operational performance.

One of the key features of AWS Lambda is that program code is automatically executed in response to certain events. The code executed by AWS Lambda is called a "Lambda function." Supported development languages include Node.js, Java, C#, and Python.

Example AWS Lambda configuration using Entra ID as the account source.

This time, we'll introduce a synchronization mechanism that utilizes AWS Lambda with Entra ID as the account source.

• Event Bridge triggers a Lambda function (for extracting information for synchronization) to retrieve user/group/group membership information.
• Lambda (information extraction for synchronization) extracts the groups, users, and memberships to be synchronized from the ID source (Entra ID). Based on the extracted information, it is sent as a message to SQS so that the subsequent Lambda (Okta synchronization) can process it, and a snapshot is saved to S3.
• Based on messages sent to SQS, a Lambda function (Okta synchronization) is executed. The Lambda function (Okta synchronization) uses Okta's Identity Source API to sequentially synchronize group, user, and membership information from Okta.

The endpoints to be used are as follows:

Adding/updating groups: bulk-groups-upsert
Adding/updating users: bulk-upsert
Group membership renewal: bulk-group-memberships-upsert

For group deletions, user deletions, and status changes, the Okta API is used for synchronization.

Using Anything-as-a-Source (EA) for Groups and Group Memberships

The Anything-as-a-Source feature for groups and group memberships, which was used in the AWS Lambda-based synchronization mechanism introduced earlier, was released as an Early Access (EA) feature in September 2025. With this feature release, it is now possible to create and update external identity source-driven groups using the Identity Source API and control the synchronization of group memberships to Okta's Universal Directory. Here is some of the knowledge gained from this verification.

Summary

In this blog post, we introduced user and group integration with Microsoft Entra ID using XaaS with Anything-as-a-Source for groups and group memberships, which is an EA feature, and AWS Lambda.

This feature allows us to offer the following value to users who want to integrate authentication and app integration with Okta while still using existing identity management platforms other than Okta, such as Microsoft Entra ID:

• Existing ID management infrastructure users, groups, and memberships can be automatically synchronized with Okta.
• Okta can be implemented without disrupting existing Microsoft Entra ID-based operations.

In addition to the AWS Lambda implementation we introduced here, no-code synchronization using Okta Workflows is also possible as a method for building user and group collaboration using XaaS. We recommend trying out different implementation methods depending on your requirements, skill set, and operational structure to realize your functionality.

If you are interested in integrating with Entra ID or other data sources, please contact us.

*This article is a blog post by Macnica, produced in collaboration with NTT Docomo Business, with their technical support. Please direct all inquiries to Macnica, and we will work with them to provide support for implementation, design, and construction.

This article is a joint production by Macnica Networks Corp. and NTT DOCOMO Business Corporation. Unauthorized reproduction is prohibited.