This article explores the possibility of making exceptions for specific user accounts while federating Microsoft Office 365 (O365) with Okta. It provides an explanation of the limitations and suggests a solution for handling shared accounts during the integration process.

• Office 365 (O365) Federation 
• Shared O365 User Accounts
• Authentication via username/password

Authenticating specific shared O365 user accounts via username/password is necessary when federating the domain with Okta.

Unfortunately, there is no way to allow specific users in a federated domain to authenticate via username/password once the domain has been federated with Okta. When a domain is federated, Okta becomes the sole source of authentication, and users without an Okta account cannot access the Azure domain.

The recommended workaround for handling shared accounts is to place them outside of the federated domain, such as in the onmicrosoft domain, which cannot be federated. This allows the shared accounts to authenticate via username/password while the rest of the domain remains federated with Okta.

Another option is to enable Staged Rollout on the Microsoft Office 365 tenant to exclude users from federation. The Microsoft Support Team can assist with enabling this option.