Move Microsoft Office 365 from SWA to WS-Federation

There are two sign-on methods for Microsoft Office 365 available in Okta:

  1. Secure Web AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. (SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.): SWA relies on a username and a password for security credentials that can be selected by the end user or assigned by the administrator
  2. WS-Federation: WS-Federation is a specification that defines mechanisms to transfer identity information using encrypted SOAP messages. It adds an additional level of security. WS-Federation does not require a separate password for Office 365. Consequently, Okta does not need to sync user passwords when WS-Federation is used.


  1. From the Administrator Dashboard, select Applications.

  2. Locate and select the Microsoft Office 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..

  3. Select the Sign On tab, then click Edit.

  4. For SIGN ON METHODS, check the WS-Federation radio button.

  5. If you choose to manually set up WS-Federation, click on the View Setup Instructions button, shown above. The button opens a new tab with instructions on how to prepare your domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). for federated authentication utilizing PowerShell.

  6. If you prefer that Okta configures WS-Fed, select Let Okta configure WS-Federation automatically for me.

  7. Enter your Microsoft 365 API AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Username and Password, as shown above.

    The Default Relay State is optional. (The default relay state is the page your users will land on after they successfully log in.)

  8. Add your credentials details and your API credentials.

  9. Click Done.