Set Manager in Office 365 using Okta Workflows

Set Manager in Office 365 using Okta Workflows

Currently the Okta Office 365 Integration is not able to set the Manager attribute directly in Office 365. There is a workaround, but that requires a local Active Directory that handles part of the synchronization and acts in between Okta and O365. In this article, we therefore describe how a direct sync can easily be set up using Okta Workflows instead.

Andreas is a cloud architect in Cloudworks and an Okta Technical Champion. He is helping customers on their digital Identity journey by designing and implementing complex IAM solutions. These have a high amount of automation to achieve high impact with minimal user friction.

  This is a technical description in a series about Okta Workflows

The Office 365 function

To set the Manager in Office 365 Microsoft provides a Graph API call that allows to assign a manager to a user by referencing their respective IDs: https://docs.microsoft.com/en-us/graph/api/user-post-manager?view=graph-rest-1.0&tabs=http

Assign-manager-example
Extract from Microsoft Docs, Assign Manager example

With this information we already have everything we need to simply add this feature to Okta Workflows. The call requires us to call an API URL with the user’s Office 365 {id} and add a JSON Object with the URL that includes the manager’s Office 365 {id}.

Depending on the use case we might need to find out the users and managers ID. In our case the example worked if we just use the managers email address in the body. However, finding the ID is just another call in Okta Workflows, I’ve added it to the example for the user.

*This API call might not work if you're using 'User sync' or 'Universal sync' as the account is locked by the integration.

The workflow

We are using this as a child flow, so we can call it from any event that we want to use. After gathering some information about the user in Okta, we stop the flow if the user has no “managerEmail” set so the flow does not run unnecessarily.

Workflow-Office365-Manager
Workflow Set Office 365 Manager part 1: Check if the manager is set and retrieve the users ID from Office 365

Last step of the preparations is to read the user in Office 365 to get the internal ID that we then can use in the next step when we build the API call.

Workflow-Office365-Manager-2
Workflow Set Office 365 Manager part 2: Write the body and the URL for the API call and call the Graph API

We can now build the main API call by using the Office 365 Connector and the “Custom API Action”. (Read the article explaining why Custom API Actions is great). The only thing it requires from us is to specify the relative URL* and the body. We compose both from the attributes that we have retrieved in the first section of the workflow. The users Office 365 ID in the Office 365 “Read user” and the manager’s email address for the body.

After the Custom API Action, we close the workflow with a “Return Error IF” (not shown in the screenshots) that returns an error if the call to set the manager was unsuccessful. This is to report the error back to the call flow, so it is visible there and makes troubleshooting easier. If we wish, we can add additional handling or notification if such errors occur.

*Relativ URL is the part after “https://graph.microsoft.com/v1.0"

Summary

It is easy to set up Manager in Office 365 with Okta Workflows:

- Familiarize yourself with the Graph API call
- Get the Manager information in Okta
- Make the call to update Office 365

By setting up a simple workflow, we have added some functionality to the existing Office 365 integration, thus saving time and ensuring better data quality as the attribute is no longer set manually.