Federate multiple Office 365 domains in a single app instance

You can automatically federate multiple Microsoft Office 365 domains within a single Office 365 app instance in Okta. This eliminates the need to configure a separate Office 365 app instance for each Office 365 domain.

This is useful in the following scenarios:

  • You have multiple Office 365 domains in a single Office 365 tenant and don’t want to create separate app instance for each domain.
  • You have multiple Office 365 domains in a single Office 365 tenant and want to apply the same set of policies to all of them.

Before you begin

  • This feature isn't available for the manual WS-Federation method.
  • You need the following:

    • A valid Microsoft Office 365 tenant
    • Verified Microsoft Office 365 domains
    • Office 365 application added to Okta org using automatic WS-Federation

Start this procedure

This procedure includes the following tasks:

Configure domains

Validate federated domains

Configure domains

  1. In Office 365 application instance, open Sign On > Settings in Edit mode.

  2. In Sign On Methods, select WS-Federation.
  3. Select Automatic for WS-Federation configuration.
  4. Click View Setup Instructions. Procedure to configure Office 365 WS-Federation opens in a new window.
  5. Refer to the Prepare your domain for federated authentication section of the procedure to ensure you have correctly prepared your domains for federation.
  6. Back on the Sign On tab, enter Office 365 Admin Username and Office 365 Admin Password for your Microsoft Office 365 tenant.
  7. In Office 365 Domains, click Fetch and Select to add verified domains. Verified domains for the Office 365 tenant are displayed.
  8. Select domains that you want to federate.
  9. Back on the Sign On tab, click Save.

Validate federated domains

  1. Sign in to Okta as an end user that belongs to an Office 365 domain you federated.
  2. Access Office 365 through the End-User Dashboard.
  3. Ensure you can log in successfully.
  4. Repeat these steps for test users from all federated Office 365 domains.

Alternatively, you can use the following PowerShell cmdlet for each federated domain to verify that the domain has been successfully federated:

Get-MSOlDomainFederatioNSettings -domainname <domain name>

Cautions

  • Federating a domain with multiple subdomains in a single app causes sign-in errors

    Federating a domain with multiple subdomains in a single app cause the subdomain members to receive an error when they sign in. To avoid this, federate domains manually using PowerShell. See Configure Single Sign on with WS-Federation - manual method.

  • Switching to manual WS-federation or SWA will unfederate domains

    If you switch from automatic WS-Federation to manual WS-Federation or from WS-Federation to SWA, all the domains involved will be unfederated.

  • Don't delete Office 365 app instances

    If you have multiple instances of Office 365 domains that are automatically federated and you're migrating to a single instance of automatically federated Office 365, disable such instances. Do not delete them.

  • When unfederating, wait until all domains are unfederated

    If you change the federation method from automatic to manual for already-federated domains, Okta recommends that you wait until all automatically federated domains are unfederated. If you try to manually federate a domain before Okta completes its unfederation process, Okta may try to remove the manually federated domain since it was previously an automatically federated domain.

    Use the following cmdlet to ensure that the automatically federated domain is unfederated:

    Get-MSOlDomainFederatioNSettings -domainname <domain name>.

    You should expect some downtime while the domain is being unfederated.

  • Configure domains during off-hours to avoid assigning duplicate apps

    When you configure an Office 365 domain that's already configured in a separate Office 365 app instance, end users may be assigned a duplicate set of Office 365 apps. Perform this action during off-hours so that you have enough time to unconfigure the original app instance.

Related topics