How Authentication and Token Issuance Works with Orchestry, Microsoft Entra, and Federated Identity Providers
This article explains how federation fits into the authentication flow, how security controls are enforced, and how Orchestry maintains a consistent trust chain when accessing Microsoft services.
Orchestry relies on Microsoft Entra ID as the trusted security token service for authentication and authorization. While customers may use third‑party identity providers (IdPs such as Okta) for primary authentication, all tokens that grant access to Orchestry are issued by Microsoft Entra.
Orchestry Authentication and Token Issuance (Federated Environments)
- Orchestry only trusts access tokens issued by Microsoft Entra ID for the Orchestry app registration in the customer tenant.
- Third‑party identity providers (such as Okta) do not issue tokens to Orchestry.
Federation Behavior
- Federation changes where user authentication occurs, not who issues tokens.
- In federated scenarios, Microsoft Entra redirects users to the IdP (e.g., Okta) for authentication.
- Microsoft Entra remains the security token service and issues all tokens used to access Orchestry.
Security Enforcement
- Conditional Access, MFA, and PIM are always evaluated by Microsoft Entra at token issuance time.
- Microsoft Entra can honor IdP‑performed MFA if the expected claims are returned; otherwise, Entra may require MFA before issuing tokens.
Availability and Emergency Access
- If the federated IdP is unavailable, federated users cannot authenticate.
- Cloud‑only Microsoft Entra emergency accounts can authenticate directly and access Orchestry using Microsoft‑issued tokens.
Microsoft Graph Access
- When Orchestry accesses Microsoft Graph on behalf of an admin, Microsoft Entra issues the Graph tokens, preserving the same trust chain.