Federate multiple Office 365 domains in a single app instance
You can automatically federate multiple Microsoft Office 365 domains within a single Office 365 app instance in Okta. This eliminates the need to configure a separate Office 365 app instance for each Office 365 domain.
This is useful if you have the following configurations:
- Multiple Office 365 domains in a single Office 365 tenant and you don't want to create a separate app instance for each domain.
- Multiple Office 365 domains in a single Office 365 tenant and want to apply the same set of policies to all of them.
Before you begin
- This feature isn't available for the manual WS-Federation method.
-
The following information is required to complete this procedure:
- A valid Microsoft Office 365 tenant
- Verified Microsoft Office 365 domains
- Office 365 application added to Okta org using automatic WS-Federation
If you're configuring multiple Office 365 domains with child domains, contact your Okta representative.
Start this procedure
This procedure includes the following tasks:
Configure domains
-
In an Office 365 application instance, open in Edit mode.
- In Sign On Methods, select WS-Federation.
- Select Automatic for WS-Federation configuration.
- Click View Setup Instructions. The procedure to configure Office 365 WS-Federation opens in a new window.
- Refer to the Prepare your domain for federated authentication section of the procedure to ensure you have correctly prepared your domains for federation.
- Back on the Sign On tab, enter Office 365 Admin Username and Office 365 Admin Password for your Microsoft Office 365 tenant.
- In Office 365 Domains, click Fetch and Select to add verified domains. Verified domains for the Office 365 tenant are displayed.
- Select domains that you want to federate.
- Back on the Sign On tab, click Save.
Manually set up WS-Federation
-
In the Office 365 application instance, open in Edit mode.
- In Sign On Methods, select WS-Federation.
- Select I want to configure WS-Federation myself using PowerShell.
- Click View Setup Instructions. The procedure to configure Office 365 WS-Federation opens.
- Follow the steps to configure your domain in the Microsoft Azure Active Directory Module for Windows PowerShell. Repeat for each domain you want to configure.
- Back on the Sign On tab, click Save.
Validate federated domains
- Sign in to Okta as an end user that belongs to an Office 365 domain you federated.
- Access Office 365 through the End-User Dashboard.
- Ensure you can sign in successfully.
- Repeat these steps for test users from all federated Office 365 domains.
Alternatively, you can use the following PowerShell cmdlet for each federated domain to verify that the domain has been successfully federated:
Get-MSOlDomainFederatioNSettings -domainname <domain name>Cautions
-
Federating a domain with multiple subdomains in a single app causes sign-in errors
Federating a domain with multiple subdomains in a single app cause the subdomain members to receive an error when they sign in. To avoid this, federate domains manually using PowerShell. See Configure SSO on with WS-Federation - manual method.
-
Switching to manual WS-federation or SWA will unfederate domains
If you switch from automatic WS-Federation to manual WS-Federation or from WS-Federation to SWA, all the domains involved will be unfederated.
-
Don't delete Office 365 app instances
If you have multiple instances of Office 365 domains that are automatically federated and you're migrating to a single instance of automatically federated Office 365, disable such instances. Don't delete them.
-
When unfederating, wait until all domains are unfederated
If you change the federation method from automatic to manual for already-federated domains, Okta recommends that you wait until all automatically federated domains are unfederated. If you try to manually federate a domain before Okta completes its unfederation process, Okta may try to remove the manually federated domain since it was previously an automatically federated domain.
Use the following cmdlet to ensure that the automatically federated domain is unfederated:
Get-MSOlDomainFederatioNSettings -domainname <domain name>.You should expect some downtime while the domain is being unfederated.
-
Configure domains during off-hours to avoid assigning duplicate apps
When you configure an Office 365 domain that's already configured in a separate Office 365 app instance, end users may be assigned a duplicate set of Office 365 apps. Perform this action during off-hours so that you have enough time to unconfigure the original app instance.