Downtime for Re-Federating Microsoft Domain when Switching Identity Providers

Dear J, Connie,

During the re-federation process, existing user sessions will typically persist across desktop, mobile, and Outlook Web Access (OWA) as long as the authentication token remains valid. Users may be prompted to re-authenticate once their session expires or if conditional access policies require it. This behavior is consistent with Microsoft’s token-based authentication model.

While Microsoft documentation states that domain federation changes are applied within minutes, organizations have reported that full propagation—especially for large environments—can take up to 1 hour for login redirection to fully transition from ADFS to Okta. This timeframe aligns with your expectations and is considered typical for domains of your scale.

For reference, you can review Microsoft’s guidance on federation timing here and Okta’s documentation on federation propagation here.

Ensure all Okta accounts are provisioned and active prior to switching.

Monitor login behavior post-transition to confirm successful redirection.

Retain ADFS temporarily as a fallback during the transition window.

Avoid making concurrent changes to conditional access or MFA policies during re-federation.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Best regards,

Harry Phan