When federating a domain or adding an additional domain to the Office 365 application in Okta, admins may encounter the following error:

Could not set up the domain federation with Office 365; please retry setting up the federation for this domain after a few hours.

• Microsoft Office 365 
• Single Sign-On (SSO)

One common cause of this error is when the domain name begins with a numeric character.

This stems from a Microsoft limitation: IssuerURI values starting with a number are not supported in their federation process. When Okta is configured to use automatic domain federation, it constructs the IssuerURI by combining the federated domain with the app instance ID, resulting in the format: 123example.com:exk123456789.

Microsoft considers this format invalid, and therefore, the federation fails in Okta.

Another possible cause is that the Microsoft Office 365 application within Okta had WS-Federation enabled before Okta's fix for child domains was implemented.

Option 1 (Recommended): Update the Office 365 app configuration

• Navigate to Okta Admin Dashboard > Applications > Office 365.
• Click on Authentication > Sign-on settings tab > Edit.
• Click Fetch and select > (Without modifying anything) click Select.
• Click Save at the bottom.
   

Option 2: Create a new application in Okta using manual federation

When configuring domain federation manually, the IssuerURI uses only the app instance ID with a prefix of https://, such as: https://exk123456789.

This format is valid and avoids the error.

Key considerations

• A new authentication policy is required for this separate Office 365 integration, as a single policy cannot be shared across multiple apps.
• Both authentication and provisioning policies must be managed in parallel.
• If migrating users from the existing app, temporarily disable user deactivation in provisioning settings until all users have been unassigned from the original app.