Greetings !

This is Andrei on behalf of Okta's Customers Support.

The provisioning part should automatically kick in after the federation is done.

If you have any further questions or require any further assistance from support, please consider to open a support ticket with us !

Refer to the Okta O365 Provisioning Types page at https://help.okta.com/en/prod/Content/Topics/Apps/Office365/References/provisioning-types.htm

As the guide notes, you can't switch back once you set Universal Sync unless you have Okta support enable the AAD Graph API feature. So your steps should have that step first and then after you disable AADC you go into your Office 365 app in Okta and change provisioning from Licenses and Roles to Universal Sync.

WS-Fed is not tied to provisioning in any way. WS-Fed is part of the Sign-On tab and that's what makes Office 365 send authentication requests to Okta instead of handling them natively. You should also be aware that the default setting for Office 365 in Okta does not support Basic Auth. You should check to make sure that Basic Auth is not being used in your org before enabling WS-Fed. In our experience we had a number of mobile devices (phones) that supported Modern Auth yet refused to use it until accounts were removed and re-added.

You should also consider disabling Basic Auth in Office 365 prior to federating to Okta. Right now failed auth attempts hit O365 and you likely don't see them. If you federate to Okta those login attempts will hit Okta and can cause user lockouts. Even adaptive MFA with geo-blocking wasn't preventing these lockouts for us but by disabling Basic Auth in Office 365 those password spray attacks attempting to use Basic Auth are never forwarded to Okta in the first place.

Hope that info helps.

-nick