<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Microsoft Office 365 Domains Deleted from Azure/O365 Before Being Removed in Okta - Fetch and Select Not Working as Expected
Feb 21, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

If a Microsoft Office 365 (O365) administrator removes any federated domains from O365 before they have been de-federated in Okta, then the "Fetch and Select" functionality in Okta will cease to function correctly.

This manifests itself in the following behavior:  

  • When attempting to federate a new domain, an error is returned, indicating that one of the now-deleted domains cannot be found.
  • When attempting to update the Office 365 federation to leverage Microsoft Graph instead of MSOL, the administrator will not be able to save the changes as Okta is not able to reach out to all the domains it has in the list.

Error messages may include:

  • Could not connect to the Office 365 servers. Please try again later.
  • Could not setup the domain federation with Office 365; please specify a valid Office 365 domain.
Applies To
  • Microsoft Office 365 federated domains
  • Single Sign-On (SSO)
  • Having deleted a domain from Azure AD before underrating it through the Okta UI
Cause

This happens when federated domains are removed from O365 before they have been de-federated in Okta. Okta cannot prevent the deletion of domains from O365 before they are properly de-federated from Okta, so this should be taken into account when decommissioning domains.

 

When Okta attempts to update the list of federated domains or make changes to the federation, such as leveraging Graph instead of MSOL, it first needs to be able to communicate with all the Microsoft domains it has in the list of "Fetch and Select". If one or more of those domains are deleted from the Microsoft side, errors will be generated.

Solution

If the domain lists in Okta are not synchronized with Microsoft, a feature flag can be enabled that bypasses the federation checks on the Microsoft side during the "Fetch and Select" process, allowing the domain list to be redefined. To do this, open a support ticket and request feature enablement, quoting this article.

When it has been confirmed that the feature is enabled, perform the following actions:

  1. From the Okta Admin Console, go to Applications and select the O365 app instance.
  2. Go to the Sign On tab and click Edit.
  3. Click Fetch and Select. A popup will show valid domains.
  4. Click Select from that popup. NOTE: This step must be performed. "Fetch and Select" will not remove any existing domains from the list.
  5. Click Save at the bottom of the Sign On tab. This should remove non-existing domains from the list.
  6. Once the setting is saved, inform Support so the feature flag can be restored to its original state.

Recommended content

Still looking for help?
Loading
Microsoft Office 365 Domains Deleted from Azure/O365 Before Being Removed in Okta - Fetch and Select Not Working as Expected