Impact of enabling Okta Federation with o365 Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzvxias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Todd JohnsonTodd Johnson 

Impact of enabling Okta Federation with o365

We are planning an o365 migration.  I have reviewed the steps for enabling federation between o365 and Okta. Before I run through this process I want to make sure I understand if there are any impacts to our production systems. I don’t see any potential issues, but want to be sure in case I’m missing something. Thanks!

Our current setup...

-On-prem Exchange
-Leverage Okta for various apps
-Identities will sync to Azure via AADConnect. Currently filtered on AD group for pilot testing.
Marc JordanMarc Jordan (Okta, Inc.)
Hi Todd,

Thanks for posting in the community. Enabling SSO with Office 365 does a couple of things:
  • Modifies the settings of your verified Office 365 domain to point to your Okta Tenant (or overwrites the Federation Settings if they are already configured)
  • Changes the behaviour of the Office 365 login page to redirect you to the configured IDP when the email suffix matches that of a Federated domain
There's also a couple of things to be aware of:
  • Ensure that a non-federated (ideally the onmicrosoft.com) domain is set as the default domain ahead of time (federated domains cannot be default and will give an error)
  • Ensure that the account you are using for AADConnect and your admin account are using a non-federated domain (also, ideally onmicrosoft.com)
In regards to on-premises impact, we would not expect anything to change at all. Commonly, customers ask about mail flow and DNS impact, however neither of these will be modified as a result of setting the domain as federated. 

The Set-MSOLDomainAuthentication cmdlet in Powershell (https://msdn.microsoft.com/en-us/library/dn194112.aspx) can also be used to revert the domain to Managed rather than Authenticated if you did want to test toggling Federation settings.

Regards
Marc
Dan RosnerDan Rosner
We have only Office 365 and Azure AD - We do not have any on prem Windows Server environment. If we turn on federation, the desktop logins will fail. Is there a way to set up Okta so that password changes are pushed to Office 365, but there is NOT true SSO to Office 365? Alternately- we need to be able to have Okta use Office 365/Azure AD as the directory.