<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Update Office 365 App instance to support on demand rotation of SSO signing certificate

Single Sign-On
Okta Classic Engine
Okta Identity Engine

Overview

Okta is committed to delivering the highest level of security and reliability for our customers. To reinforce this commitment, Okta is upgrading the Office 365 Single Sign-On (SSO) integration by transitioning from organization-level certificates to app-level certificates. This change eliminates a single point of failure, reduces the risk of organization-wide service disruptions, and enables on-demand certificate rotation — increasing security posture and reducing downtime risk in alignment with National Institute of Standards and Technology NIST’s guidelines.

Starting July 2026 in the preview environment & August 2026 monthly release for the production environment customers can update their integration. We recommend customers to upgrade as soon as possible for better security & experience. 

Applies To

  • Okta Identity Engine (OIE)

  • Okta Classic Engine

  • Office 365 (Commercial, GCC, and GCC High)

  • WS-Federation Single Sign-On

  • Per-app SSO signing certificates

Prerequisites for Updating the Office 365 Integration

Before updating the Office 365 app instance, confirm the following conditions are met:

  • An active Office 365 application with SSO enabled exists in the org.

  • The administrator holds the relevant role (for example, Application Administrator) to update the application.

  • Global Administrator permissions in Microsoft Entra ID are available (required for the Manual configuration path only, to execute the PowerShell script).

  • The Office 365 SSO application has been migrated to Microsoft Graph. If migration is not yet complete, complete the migration first using the appropriate guide:

NOTE: Existing integrations do not require re-authentication during this process. Starting July in the preview environment and August monthly release in the production environment, customers can update their integration. Upgrading as soon as possible is recommended for improved security and experience.

How to Update to Per-App Certificates

Updating an Automatic WS-Federation Configuration in Microsoft Graph

If the app is already on Microsoft Graph and configured for Automatic WS-Federation, the entire process takes place within the Okta Admin Console. Navigate to the Office 365 application, open the Sign On tab, generate a new certificate from the SAML Signing Certificates table, and activate it using the Actions dropdown menu.

  1. In the Okta Admin Console, navigate to the Office 365 application and select the Sign On tab.

  2. Scroll to the SAML Signing Certificates table and select Generate new certificate.

Generate Certificate

  1. Locate the newly generated certificate in the table, select the Actions dropdown menu, and choose Activate.

Activate

Updating a Manual WS-Federation Configuration in Microsoft Graph

If the domain federation is configured manually, the certificate must be updated in both the Okta Admin Console and the Microsoft environment. Navigate to the Office 365 application, generate a new certificate, retrieve the X509 certificate value from the Identity Provider (IDP) metadata, run the PowerShell script in a PowerShell terminal, and then activate the certificate in Okta.

  1. In the Okta Admin Console, navigate to the Office 365 application and select the Sign On tab.

  2. Scroll to the SAML Signing Certificates table and select Generate new certificate.

Generate Certificate

  1. Select the View Setup Instructions button to the right of the SSO settings widget in the Sign On tab.

View setup instructions

  1. Scroll down to the Update the signing certificate for an already federated domain section to locate the PowerShell script.

Update the signing certificate for an already federated domain 

  1. Replace the <NewCertificate> field in the PowerShell script with the X509Certificate value for the certificate to be activated.

    • To retrieve the X509Certificate value, select the Actions dropdown menu for the target certificate and choose View IDP Metadata.

View IP Metadata

    • The content inside the <ds:X509Certificate> tags is the required value.

ds:X509Certificate

NOTE: Ensure there are no whitespaces in the X509 certificate value copied from the IDP metadata before pasting it into the script.

  1. Run the PowerShell script in a PowerShell terminal on a Windows machine.

  2. Return to the SAML Signing Certificates table, select the Actions dropdown menu for the newly generated certificate, and choose Activate to complete the certificate rotation.

Activate

Warning: SSO will fail unless all steps above are completed successfully. A successful script execution is confirmed by the PowerShell terminal output.

NOTE: There is downtime for end users from the time the new PowerShell script is run until the certificate is activated in Okta. To avoid this downtime, switching to Automatic federation is recommended. Uncheck the manual configuration option in the app settings, switch to Automatic, enter Microsoft admin credentials, and grant consent to federate. Once saved, Okta automatically handles certificate updates.

How to Perform a Bulk Certificate Update via API

If a large number of Office 365 applications on WS-Federation require updates, certificates can be generated and updated in bulk using the Okta API instead of updating each application individually in the Admin Console. Retrieve all app instances, generate a new certificate for each, copy the Key ID (KID) from the response, update the certificate via the API, and — for Manual configurations only — run the PowerShell script in Microsoft Entra.

Refer to the following guide before proceeding: How to generate a new IdP certificate via API using Postman

  1. Retrieve the list of all app instances in the org using the List Active Apps API call in a REST API client (for example, Postman or a similar tool that fits the organization's guidelines).

  2. For each app instance ID, complete the following steps — either manually or via script:

    1. Use the Get App API to fetch the name and label for each app instance.

    2. Use the Post Generate API to generate a certificate for the app instance, specifying the desired validity period in years.

    3. Copy the KID value from the response of the Generate API call.

    4. Update the certificate for the app instance using the Put - Update Application Certificate API call, populating the payload with the name, label, and KID values from the previous steps. This call activates the certificate.

    5. For Manual configurations only — use the PowerShell script found in View Setup Instructions to activate the certificate in Microsoft Entra.

Related References

 

 

Loading
Okta Support - Update Office 365 App instance to support on demand rotation of SSO signing certificate