TL;DR
Engineer migrated 350+ users from Google Workspace to Okta federation for Microsoft 365, documenting the full process, pitfalls, and recovery strategies.
Key Points
- Cloud-only tenant (no on-prem AD) migrated from Google WS-Federation to Okta with ImmutableID remapping across 350+ users
- Critical gotcha: Default domain cannot be federated; requires explicit domain change before federation setup
- ImmutableID conversion required plain Okta User IDs (not Base64-encoded) mapped to all existing users via PowerShell; 342/350 successful on first run
- External tenant guest access requires Conditional Access policy updates to accept federated authentication; undocumented failure mode for Teams/SharePoint collaboration
Why It Matters
Identity consolidation is a common infrastructure challenge for growing orgs, and this post provides a detailed post-mortem covering federation mechanics, provisioning modes, and failure scenarios that affect real-world M365/Okta deployments. The external tenant guest access issue alone is a subtle gotcha that could silently break collaboration for partner organizations.
Source: andrewdoering.org