Once a domain is federated in the Office integration, ALL users that are part of the federated domain (for example, user@FederatedDomain.com) will be redirected to Okta for authentication.
It is not possible to federate a domain and exclude some users from the Okta authentication step. All users in the federated domain must have a Microsoft account and an Okta account and must be assigned to the Office app. Otherwise, they will not be able to access Microsoft-related resources.
- Office 365 integrations
- Single Sign-On (SSO)
If the domain was federated just for testing, but real Microsoft users are affected by this, these users cannot be excluded from the federation. Therefore, the federation should be tested with a domain that does not contain real users.
Follow these steps to remove the Okta-Microsoft domain federation:
-
To de-federate the domain, log in to the Okta Admin Dashboard and navigate to Applications > Applications.
-
Find the Office 365 app integration and click on the Sign On tab.
-
CAUTION! This action will remove the federation for ALL domains added to the Office integration:
Click Edit and change the Sign on method from WS-Federation to Secure Web Authentication.
-
Once the federation removal process has started, it can take 10 or more minutes to complete, depending on the size of the domain.
NOTE: Upon making this selection, a prompt will appear asking to choose how the Username and Password are created. This setting determines what username and password will be used to log users into Office 365. Since WS Federation does not actually use a password, the users' Office 365 accounts may not actually have a valid password to use, and/or the user may not know what it is. This can be avoided by enabling Sync Okta Password in the O365 application's Provisioning settings. This will push the Okta password to Office 365.
Related References
