This article explains the following error that occurs when attempting to change the sign-on method to Secure Web Authentication (SWA) in the Microsoft Office 365 application:
Please review the form to correct the following error(s):Could not remove the domain federation with Office 365; please retry removing the federation for this domain after a few hours.
- Okta Classic Engine
- Okta Identity Engine (OIE)
- Microsoft Office 365
- WS-Federation (WS-Fed)
- Secure Web Authentication (SWA)
The error occurs because Okta attempts to access the federation object in Microsoft using the stored credentials of the Global Admin account. The process fails if the password has expired or the account has been removed.
If the Microsoft Office 365 application is configured for Automatic Federation in Okta, perform the following steps to resolve the error and finish the de-federation from the Okta User Interface (UI):
- Navigate to Applications > Office 365 > Sign On in the Okta Admin Console.
- Select Start federation setup under the Office 365 Domains section to grant Okta the necessary Microsoft Graph API permissions to manage federation.
If the application is configured for Manual Federation, Okta cannot modify the federation settings in Microsoft. Use the Microsoft Graph module via PowerShell instead, as detailed in How to Use PowerShell to Disable Manual Federation Between Okta and Microsoft Office 365:
- Install the Microsoft Graph module on a Windows device using the Microsoft Graph Installation Guide.
- Run the following PowerShell commands, replacing
<DomainName>in both places with the federated domain name (for example, acme.com):-
Connect-MgGraph -Scopes Directory.AccessAsUser.All -
Remove-MgDomainFederationConfiguration -DomainId <DomainName> -InternalDomainFederationId (Get-MgDomainFederationConfiguration -DomainId <DomainName> | Select -Property Id).id
-
- Deactivate and delete the Office 365 application in Okta once Microsoft users are no longer redirected to Okta for authentication.
