Forum Discussion

ak2766's avatar
ak2766
Copper Contributor
Jan 13, 2021

SAML authentication to O365 for a subset of users - Is this possible?

I'm looking to trial SAML authentication using a third party IDP and I'm checking to see if it is possible to turn this on for a subset of users for testing.   In other words, I'm looking to place ...
office 365
boneyfrancis's avatar
boneyfrancis
Iron Contributor
Jan 13, 2021

In O365, its the domain you set as federated in order to route its authentication to the IDP, which means all users matching that UPN will get redirected to the IDP for authentication- not a per user setting.
However, you can add/verify a new domain in O365, map the POC/SAMLtest group users with the new UPN, and federate this new domain with the IDP- that way their authentication will be handled thru SAML, while all other users will authenticate directly with O365/Azure
ak2766's avatar
ak2766
Copper Contributor
Jan 26, 2021

boneyfrancis Thanks for your response.  Yes, I had indeed noticed that it seemed impossible to separate a group of users being they share the same domain.

 

Would you happen to know if there's a demo of what you describe in your answer?  Also, would a user with a remapped UPN continue to communicate via the same email address of the un-federated domain?  I'm trying to make this as transparent as possible to the end user.

  • boneyfrancis's avatar
    boneyfrancis
    Iron Contributor
    Jan 27, 2021

     

    ak2766 

     

    I'm sure someone would have tried this, but I haven't personally seen any demo/articles on the same. The steps involved would be:

    1. Add new MSOL domain in O365 using https://docs.microsoft.com/en-us/powershell/module/msonline/new-msolfederateddomain?view=azureadps-1.0 cmdlet

    2. Run https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0 to modify the parameters- at a minimum, you'll need ActiveLogOnUri, IssuerUri, LogOffUri, MetadataExchangeUri, PassiveLogOnUri and SigningCertificate parameters from your IDP provider

    3. If your user accounts are created directly on O365, modify your UPN to match the newly added domain thru the admin portal or using https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0. If your user accounts are managed from on-premise AD and synchronized to O365, you'll need to add a domain suffix in local AD matching the new UPN and then modify your UPN to match the newly added UPN suffix.

    4. Now whenever you login to your O365 account, enter your new UPN as Username, and you'll get re-directed to your IDP for authentication. Once the initial tests are successful, you can repeat step-3 for more users as part of POC

Resources