Configure WS-Federation for Office 365

There are two sign-on methods for Microsoft Office 365 available in Okta: Secure Web Authentication (SWA) and WS-Federation (WS-Fed), which is the more secure and preferred method.

  • SWA relies on a username and a password for security credentials that can be selected by the end user or assigned by the administrator
  • WS-Federation is a specification that defines mechanisms to transfer identity information using encrypted SOAP messages. It adds a level of security. WS-Federation doesn't require a separate password for Office 365. Therefore, Okta doesn't need to sync user passwords when WS-Federation is used.

Okta removes the domain federation in the following cases:

  • If you switch from WS-Federation to SWA
  • If you delete the app instance

    Okta doesn't recommend deleting the app. For manual federation, when the app is removed, the domain won't be automatically de-federated. Manual de-federation using PowerShell is required. However, with automatic federation, if the app is removed, the domain is de-federated automatically.

To set up WS-Federation, complete the following steps:

Automatically set up WS-Federation

First-time setup

If you're configuring WS-Federation for the first time, follow these steps to authenticate and select domains.

  1. If you're setting up Microsoft Office 365 for the first time, in the General Settings tab, click Next to go to Sign-On Options tab.

  2. In the Sign on methods section, select WS-FederationAutomatic.
  3. Optional. Click View Setup Instructions. The procedure to configure Office 365 WS-Federation opens in a new window.
  4. Optional. Refer to the Prepare your domain for federated authentication section of the procedure to ensure that you have correctly prepared your domains for federation.
  5. Back on the Sign-On Options tab, click Start federation setup. You're redirected to the Microsoft account sign-in page.
    1. Sign in to Microsoft as a global administrator for your Microsoft tenant.
    2. Read and accept the requested permissions.
  6. Click Federate domains.
  7. On the dialog that appears, select the domains that you want to federate from the dropdown list.
  8. Click NextSave.
  9. Click Done.
Edit an existing configuration

If you've previously configured WS-Federation, follow these steps to make changes.

  1. Go to Office 365Sign onEdit. Ensure that WS-FederationAutomatic is selected in the Sign on Methods.

  2. To view federated parent and child domains in read-only mode, click View selected domains.
  3. To add or remove domains, click Manage verified domains.
  4. To re-authenticate with a different Microsoft Office 365 account, click Re-authenticate with Microsoft Account.
  5. Click Save.

Manually set up WS-Federation

  1. If you're setting up Microsoft Office 365 for the first time, in the General Settings tab, click Next to go to Sign-On Options tab.

    If Microsoft Office 365 is already set up, in the Admin Console, select ApplicationsApplications. Locate and select the Microsoft Office 365 app, go to the Sign On tab, and click Edit.

  2. In Sign on methods, select WS-FederationManual using PowerShell.
  3. Click View Setup Instructions for the PowerShell command that's customized for your domain.
  4. Copy this command for use in PowerShell.