<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00006uQ1dMCASOkta Classic EngineOkta Integration NetworkAnswered2024-04-16T11:15:24.000Z2021-04-07T01:20:17.000Z2021-04-08T18:18:33.000Z

Rocky (Customer) asked a question.

April 7, 2021 at 1:20 AM
Move Office365 to another Okta instance with different domain name

Hello I'd like to move an Office 365 tenant from one Okta instance to another one. I was thinking of just duplicating the app settings in the new but I'm not sure if this will work as the domain names are different in each instance. We own both domains:

 

Okta Org 1: widget.com

MS Tenant: widget

Okta User login: user@widget.com

User email address: user@widget.com

 

Okta Org 2: doohickey.com

MS Tenant: widget

Okta User login: user@doohickey.com

User email address: user@widget.com

 

I'm basically looking to provide the users with their existing experience but through a different Okta instance.

 

Will this work?

 

Thanks in advance

  • 6 answers
  • 861 views

  • feok4 (feok4)

    You can do it - a single okta instance can support multiple o365 tenants (we've had up to 10 at one point). If you want help with the steps, let me know as there will need to be some work on the tenant side that needs to be done.

    • Rocky (Customer)

      Hi @feok4 (feok4)​ , thanks for the info! Would this require any kind of data migration? How much downtime would there be?

  • feok4 (feok4)

    There is no data migration needed unless you're consolidating tenants. If not, here is what i've done for something similar in the past:

    • Ensure all users exist in the new Okta org, lets say Okta Org 1 for this example
    • Break API integration in Okta Org 2 for the O365 tenant (if using). This does NOT affect SSO but will affect provisioning, etc. We deselect the deactivate account checkbox as a safety. This is the equivalent of breaking dirsync and Microsoft has some timelines that need to be adhered to. NOTE - All objects will appear as cloud objects in the O365 tenant.
    • Once API integration is broken and the appropriate amount of time has passed, move the O365 app from WS-FED to SWA in Okta Org 2. Note - this will break SSO.
    • In Okta Org 1, create a new O365 app, configuring WS-FED and API integration as needed.
    • Add users to the new app, etc.

     

    These steps are high level but should be a good place to start. LMK if this helps.

    Expand Post

  • feok4 (feok4)

    @Rocky (Customer)​ Here are steps I outlined in an older post :

     

    Here were steps we followed (hopefully this will help others):

    * 4-5 days before migration, disable dirsync in the tenant via PS and remove the API config for the O365 app in Okta

    * Verify the above is complete by running the following commands. NOTES - it must return disabled, not pending disabled

    (Get-MSOLCompanyInformation).DirectorySynchronizationStatus

    (Get-MsolCompanyInformation | select DisplayName,DirectorySynchronizationEnabled,DirSyncServiceAccount,LastDirSyncTime)

    * Once the above is verified, test that you can manually change objects in the O365 tenant.

    Expand Post

  • Rocky (Customer)

    Thanks for those details! If a users exists in Okta Org 1 as user@org1.com but has a new account in Okta Org 2 as users@org2.com, will this method work? Or will the different domain name throw some sort of mismatch error? Sorry if I'm not grasping the concept here.

  • feok4 (feok4)

    Not sure if I understand the question. User accounts are not based on the Okta org but rather based on the email address. For Ex, john.smith@domain.com can simultaneously exist in Okta Org1 and Okta Org2 at the same time.

This question is closed.
Loading
Move Office365 to another Okta instance with different domain name