Jan 12 2021 07:38 PM
I'm looking to trial SAML authentication using a third party IDP and I'm checking to see if it is possible to turn this on for a subset of users for testing.
In other words, I'm looking to place a subset of users in my organisation into a SAMLTest group. Then:
Is this possible?
Jan 13 2021 12:12 AM
Jan 25 2021 07:35 PM
@boneyfrancis Thanks for your response. Yes, I had indeed noticed that it seemed impossible to separate a group of users being they share the same domain.
Would you happen to know if there's a demo of what you describe in your answer? Also, would a user with a remapped UPN continue to communicate via the same email address of the un-federated domain? I'm trying to make this as transparent as possible to the end user.
Jan 27 2021 12:20 AM
I'm sure someone would have tried this, but I haven't personally seen any demo/articles on the same. The steps involved would be:
1. Add new MSOL domain in O365 using New-MsolFederatedDomain cmdlet
2. Run Set-MsolDomainFederationSettings to modify the parameters- at a minimum, you'll need ActiveLogOnUri, IssuerUri, LogOffUri, MetadataExchangeUri, PassiveLogOnUri and SigningCertificate parameters from your IDP provider
3. If your user accounts are created directly on O365, modify your UPN to match the newly added domain thru the admin portal or using Set-MsolUserPrincipalName. If your user accounts are managed from on-premise AD and synchronized to O365, you'll need to add a domain suffix in local AD matching the new UPN and then modify your UPN to match the newly added UPN suffix.
4. Now whenever you login to your O365 account, enter your new UPN as Username, and you'll get re-directed to your IDP for authentication. Once the initial tests are successful, you can repeat step-3 for more users as part of POC