Federate multiple Office 365 domains in a single app instance

You can automatically federate multiple Microsoft Office 365 domains within a single Office 365 app instance in Okta. This eliminates the need to configure a separate Office 365 app instance for each Office 365 domain.

This is useful in the following scenarios:

  • You have multiple Office 365 domains in a single Office 365 tenant and don’t want to create separate app instance for each domain.
  • You have multiple Office 365 domains in a single Office 365 tenant and want to apply the same set of policies to all of them.

This feature is not available for manual WS-Federation method.

Prerequisites

  • A valid Microsoft Office 365 tenant
  • Verified Microsoft Office 365 domains
  • Office 365 application added to Okta org using automatic WS-Federation

Procedure

 

Configure domains

  1. In Office 365 application instance, open Sign On > Settings in Edit mode.

  2. In Sign On Methods, select WS-Federation.
  3. Select Automatic for WS-Federation Configuration.
  4. Click on View Setup Instructions. Procedure to configure Office 365 WS-Federation will open in a new window.
  5. Refer to the Prepare your domain for federated authentication section of the procedure to ensure you have correctly prepared your domains for federation.
  6. Back on the Sign On tab, enter Office 365 Admin Username and Office 365 Admin Password for your Microsoft Office 365 tenant.
  7. In Office 365 Domains, click Fetch and Select to add verified domains. Verified domains for the Office 365 tenant will be displayed.
  8. Select domains that you want to federate.
  9. Back on the Sign On tab, click Save.

Validate federated domains

  1. Sign in to Okta as an end user that belongs to an Office 365 domain you just federated.
  2. Access Office 365 through the end-user dashboard.
  3. Ensure you can log in successfully.
  4. Repeat these steps for test users from all federated Office 365 domains.

Alternatively, you can use the following PowerShell cmdlet for each federated domain to verify that the domain has been successfully federated:

Get-MSOlDomainFederatioNSettings -domainname <domain name>

Cautions

  • Switching to manual WS-federation or SWA will unfederate domains

    If you switch from automatic WS-Federation to manual WS-Federation or from WS-Federation to SWA, all domains involved will be unfederated.

  • Do not delete Office 365 app instances

    If you have multiple instances of Office 365 domains that are automatically federated and you are migrating to a single instance of automatically-federated Office 365, disable such instances. Do NOT delete them.

  • When unfederating, wait until all domains are unfederated

    If you change the federation method from automatic to manual for already-federated domains, we recommend that you wait until all automatically federated domains are unfederated. If you try to manually federate a domain before Okta completes its unfederation process, Okta may try to remove the manually federated domain since it was previously an automatically-federated domain.

    Use the following cmdlet to ensure that the automatically-federated domain is unfederated:

    Get-MSOlDomainFederatioNSettings -domainname <domain name>

    You should expect some downtime while the domain is being unfederated.

  • Configure domains during off-hours to avoid assigning duplicate apps

    When configuring an Office 365 domain which is already configured in a separate Office 365 app instance, end users may be assigned a duplicate set of Office 365 apps. It is recommended to perform this action during off-hours so that you will have enough time to unconfigure the original app instance.

Related Topics