Configure WS-Federation for Office 365

There are two sign-on methods for Microsoft Office 365 available in Okta: Secure Web Authentication (SWA) and WS-Federation (WS-Fed), which is the more secure and preferred method.

  • SWA relies on a username and a password for security credentials that can be selected by the end user or assigned by the administrator
  • WS-Federation is a specification that defines mechanisms to transfer identity information using encrypted SOAP messages. It adds a level of security. WS-Federation doesn't require a separate password for Office 365. Therefore, Okta doesn't need to sync user passwords when WS-Federation is used.

Okta removes the domain federation in the following cases:

  • If you switch from WS-Federation to SWA
  • If you delete the app instance

Okta doesn't recommend deleting the app. For manual federation, when the app is removed, the domain won't be automatically de-federated. Manual de-federation using PowerShell is required. However, with automatic federation, if the app is removed, the domain is de-federated automatically.

Automatically set up WS-Federation

First-time setup

If you're configuring WS-Federation for the first time, follow these steps to authenticate and select domains.

  1. In the Admin Console, go to ApplicationsApplications.

  2. Locate and select the Microsoft Office 365 app.

  3. In the General Settings tab, complete the required fields and click Next to go to the Sign-On Options tab.

  4. In the Sign on methods section, select WS-FederationAutomatic.

  5. Optional. Click View Setup Instructions. The procedure to configure Office 365 WS-Federation opens in a new window.
  6. Optional. Refer to the Prepare your domain for federated authentication section of the procedure to ensure that you have correctly prepared your domains for federation.
  7. Back on the Sign-On Options tab, click Start federation setup. You're redirected to the Microsoft account sign-in page.
    1. Sign in to Microsoft as a global administrator for your Microsoft tenant.
    2. Read and accept the requested permissions.
  8. Click Federate domains.
  9. In the dialog that appears, select the domains that you want to federate from the dropdown list.
  10. Click NextSave.
  11. Click Done.

Edit an existing configuration

If you've previously configured WS-Federation, follow these steps to make changes.

  1. Go to Office 365Sign onEdit. Ensure that WS-FederationAutomatic is selected in the Sign on Methods.

  2. To view federated parent and child domains in read-only mode, click View selected domains.
  3. To add or remove domains, click Manage verified domains.
  4. To re-authenticate with a different Microsoft Office 365 account, click Re-authenticate with Microsoft Account.
  5. Click Save.

Manually set up WS-Federation

  1. Go to Office 365Sign onEdit.
  2. In Sign on methods, select WS-FederationManual using PowerShell. Click Continue with Manual to confirm your selection.

    If you switch from automatic to manual configuration, Okta removes all currently federated domains for this Office 365 instance. You must use PowerShell to manually re-federate your domains to restore SSO access. Manual configuration supports only one federated domain per Office 365 instance.

  3. Click View Setup Instructions for the PowerShell command that's customized for your domain.
  4. Copy this command to use in PowerShell.