<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Impact of Changing the Office 365 Default Domain on Okta Federated Domains
Jun 9, 2026
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

When subscribing to Microsoft Office 365 services, Microsoft provisions a default onmicrosoft.com domain as the primary fallback domain for tenant-level operations. Changing the initially assigned default domain to a custom domain does not impact user credentials or access to applications. However, setting a custom domain as the default prevents administrators from federating it with Okta.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Microsoft 365 / Office 365 (M365 / O365)
  • Web Services Federation (WS-Federation)
  • Single Sign-On (SSO)
Solution

Does changing the default domain impact existing users or Okta federated domains?

Changing the initially assigned default domain from *.onmicrosoft.com to a custom domain does not impact user credentials or the ability to access applications or services. However, changing the domain name associated with a user impacts email and other services. Administrators can set any registered domain as the default domain, except the initially assigned tenant domain. Once changed, Microsoft uses the newly set default domain for new user accounts, acting as the primary email address and user login.

 

 

What restrictions apply to default and federated domains?

Review the following restrictions regarding the default domain's limits and Okta federation compatibility.

  • Administrators cannot delete or federate the initially assigned onmicrosoft.com domain, as it serves as the tenant's primary fallback domain and is used for tenant-level operations.
  • According to this Microsoft document, an Office 365 environment supports a maximum of 5 onmicrosoft.com domains. Once added, administrators cannot delete or remove them from the tenant.
  • Administrators cannot federate a custom domain with Okta if it is set as the default domain. Attempting this configuration generates below error message.

Error

 

  • Existing Okta federated domains function without issue, provided administrators do not set them as the new default domain. Microsoft issues below error message if this action occurs.

Domains

 

NOTE: Information regarding Microsoft limitations (for example, onmicrosoft.com domain limits) is based on Microsoft documentation and is subject to change without notice. Okta recommends consulting Microsoft to validate current limitations and potential impacts before making changes.

 

Related References

Recommended content

Still looking for help?
Loading
Impact of Changing the Office 365 Default Domain on Okta Federated Domains