Remove WS-Federation from Office 365 Domain Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Warren SmithWarren Smith 

Remove WS-Federation from Office 365 Domain


We are evaluating Office 365 integration with Okta. I need to be able to easily switch between testing authentication using Okta and directly with Office 365.

How would I remove the WS-Federation settings that are detailed in the WS-Federation authentication setup guide? The guide details both Set-MsolDomainAuthentication and Set-MsolDomainFederationSettings commands that I need to know how to reverse either as part of testing or as part of a roll-back.

Kevin TurnerKevin Turner (Okta, Inc.)
Hi Warren
To switch off the Okta configured federation you would need to via powershell:
Using your Office 365 administrative account, and then once connected issue the following command.
Set-MsolDomainAuthentication -DomainName <your.domain> -Authentication managed
James SmithJames Smith
I can't add anymore, Kevin has answered the question perfectly. One of the best features in okta is how easy it is to implement and the fact they give you the command lines to setup federation off the bat.
Or CingilliOr Cingilli
I would only add this link as a resource: to understand the different variables used and how they are defined.
Okta AgentOkta Agent
I am glad this popped up. We are considering doing the same thing. 
Jason RielJason Riel

Kevin's command didn't work for me.  Had to switch it around a bit.
Set-MsolDomainAuthentication -Authentication managed -DomainName <your.domain>

Shane TwentymanShane Twentyman
None of this worked for me, not were Okta support any help either. Im really disapointed with this. They should explain that once you add this, EVERYONE in your org has to use it or they cant log in 
Jeff GolasJeff Golas
As an update to this that I tested yesterday, if you had OKTA automatically set up the Ws-federation originally (where you give it admin credentials) - it will automatically remove the federation from the O365 domain when you switch the app back to SWA. I verified it using the powershell command get-msoldomainfederationsetting.
Jeff GolasJeff Golas
Also keep in mind, it seems to take some time for the settings to propagate out on 365.
AD AgentAD Agent
In the provisioning setting in my test environment I sync the Okta password and I am now doing some testing for a DR plan.

I had assumed that converting the domain authentication to managed would then let users login with their last Okta password but this doesn't seem to be the case in my testing.

Does anyone know if a user's password is synced to Office 365 when using WS-Federation?
James PoeJames Poe
So if I am reading this right, the following command:
Set-MsolDomainAuthentication -DomainName <your.domain> -Authentication managed
will turn off Okta SSO and force users to sign in with their domain creds?
Dataprise AdminDataprise Admin
Hi, has anyone been able to replicate this? I tried running the command listed above and it doesn't seem to do anything. O365 is still being federated via Okta. We are having some issues with the SAML SSO so we want to disable the feature.