In mid-August, we shared the interim security approach of enabling multi-factor authentication to our Okta single sign-on solution for web applications, while at the same time, previewing that web application access would transition by December from Okta to Azure.
This Azure-based approach supports a more streamlined web access experience for our caregivers, better cybersecurity, and our embrace of our more integrated Microsoft Modern Workplace platform strategy.
With Azure single sign-on coming online, the Okta SSO platform (psjh.okta.com and stjoe.okta.com) is scheduled to be decommissioned on December 1, 2019. With this transition, single sign-on web-accessed tools, such as Office 365, HealthStream, IQN, HR Portal, SuccessFactors, etc., will be accessed via the new Microsoft Azure applications portal at myapps.microsoft.com.
As we transition to the new platform, your login information will not change. Please continue to log in with your UPN/email address used to access Okta SSO applications today. If you set your multi-factor authentication factors in Okta, you will need to set them in Azure SSO, as they will be required for off network access starting Oct. 15, 2019.
Timeline
October and November – Azure SSO transitions will occur throughout the months of October and November 2019. Applications will transition in weekly waves, with the details for each wave communicated separately.
Oct. 7, 2019 – Azure MFA (multi-factor authentication) will be available for voluntary enrollment starting on this date. (See below Azure MFA set-up section.)
Oct. 15, 2019 – Application transitions are scheduled to begin on this date when Azure MFA becomes mandatory.
Nov. 30, 2019 – Application transitions are scheduled to be completed.
Caregiver experience
Caregivers who log into applications that authentication through Okta fall into two categories. Log into Azure using the same login username/password as Okta.
- Direct access – Caregivers who access applications directly will receive the Azure login window.
- Okta portal – Caregivers who access applications by using the Okta portal can continue logging into Okta (psjh.okta.com or stjoe.okta.com). Transitioned application will continue to appear on the portal. Caregivers who launch these applications will receive the Azure login window.
The Azure SSO Portal is also available to access transitioned applications. Caregivers can go to myapps.microsoft.com and receive the same Azure login window.
To minimize impact, we recommend completing the following steps to setup Azure MFA between October 7 and October 15, when Azure MFA becomes mandatory for off-network access.
Azure MFA set-up
Beginning October 7, caregivers can go to https://aka.ms/mfasetup to set up Azure MFA.
On October 15, when accessing from off-network, caregivers will be required to set up their MFA before logging into Azure-transitioned applications or myapps.microsoft.com. You’ll be able to follow the easy instructions to complete set-up.
There are several MFA options to choose from:
- Mobile App (preferred) pushes notification for Caregivers who have the Microsoft Authenticator application installed.
- Authentication Phone can be set up to either send an SMS message to or call the mobile number entered with voice instructions.
- Office Phone calls the office phone number listed in Outlook with voice instructions.
Resources
See the full Azure SSO transition memo from TEO.
Join one of the weekly Friday OneTeam Live! sessions to ask your questions about Azure SSO and other Microsoft Modern Workplace solutions.