Forum Discussion
SAML authentication to O365 for a subset of users - Is this possible?
boneyfrancis Thanks for your response. Yes, I had indeed noticed that it seemed impossible to separate a group of users being they share the same domain.
Would you happen to know if there's a demo of what you describe in your answer? Also, would a user with a remapped UPN continue to communicate via the same email address of the un-federated domain? I'm trying to make this as transparent as possible to the end user.
I'm sure someone would have tried this, but I haven't personally seen any demo/articles on the same. The steps involved would be:
1. Add new MSOL domain in O365 using https://docs.microsoft.com/en-us/powershell/module/msonline/new-msolfederateddomain?view=azureadps-1.0 cmdlet
2. Run https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0 to modify the parameters- at a minimum, you'll need ActiveLogOnUri, IssuerUri, LogOffUri, MetadataExchangeUri, PassiveLogOnUri and SigningCertificate parameters from your IDP provider
3. If your user accounts are created directly on O365, modify your UPN to match the newly added domain thru the admin portal or using https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0. If your user accounts are managed from on-premise AD and synchronized to O365, you'll need to add a domain suffix in local AD matching the new UPN and then modify your UPN to match the newly added UPN suffix.
4. Now whenever you login to your O365 account, enter your new UPN as Username, and you'll get re-directed to your IDP for authentication. Once the initial tests are successful, you can repeat step-3 for more users as part of POC