Will unfederating Office 365 from Okta result in users passwords being reset? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xztlqag&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Sam PowellSam Powell 

Will unfederating Office 365 from Okta result in users passwords being reset?

Just looking for some clarification here. We currently have Office365 using ws-federation through Okta and have been for some time. We are in the process of acquiring licensing for Azure AD Premium and at this point would like to turn off the federation so users can get in directly via portal.office.com. I have Azure AD Connect setup and successfully syncing. Through the Okta GUI, if i change the Office 365 authentication method from WS-FED to SWA, what is the expected behavior for the end users? Will passwords stored in Office 365/Azure AD be reset? If that is the case, we should just be able to wait or manually trigger Azure AD Connect to resync the user passwords from our local AD, correct? Trying to avoid the disaster scenario of our entire organizations users passwords reset, or at least have a good plan to get them back in sync. Thanks!
Best Answer chosen by Sam Powell
Sam PowellSam Powell
Thanks for the response bogdan. We went ahead with unfederating our office 365 domain through the Okta GUI by changing to SWA. Within 15 minutes we were able to log into portal.office.com without being redirected through Okta. I suspect that since we already had Azure AD Connect running with password syncing enabled we did not have any password reset issues.

All Answers

Bogdan MusatBogdan Musat (Okta, Inc.)
Thank you for reaching out to Okta Support, my name is Bogdan.
When you'll be de-federating the domain all of your users will lose their passwords.
Below I have posted the information that I was able to find about this subject.
However, we do highly recommend a professional services engagement for this procedure.

You can defederate the domain with the Powershell module for Online Services (can be found on http://go.microsoft.com/fwlink/?linkid=236293).
First you connect to remote powershell with the following command where you will provide your administrative credentials for Office 365:
Connect-MsolService
Then to change your domain back to a non-Federated state you simply type the command:
Convert-MsolDomainToStandard -DomainName example.com -PasswordFile c:\Passwords.txt
The command will convert all users to non federated ones and create a new password for them and put it in the file you specified with the “-PasswordFile” flag. It will also set the flag “ForceChangePassword” on the users to $true, so the users will have to change their own password after the first time they log on with the new one you provided from the file.
Sam PowellSam Powell
Thanks for the response bogdan. We went ahead with unfederating our office 365 domain through the Okta GUI by changing to SWA. Within 15 minutes we were able to log into portal.office.com without being redirected through Okta. I suspect that since we already had Azure AD Connect running with password syncing enabled we did not have any password reset issues.
This was selected as the best answer