SAML authentication to O365 for a subset of users - Is this possible?

Copper Contributor

I'm looking to trial SAML authentication using a third party IDP and I'm checking to see if it is possible to turn this on for a subset of users for testing.

 

In other words, I'm looking to place a subset of users in my organisation into a SAMLTest group.  Then:

  • users in the test group now authenticate to O365 via SAML
  • users not in the test group continue to authenticate via username/password

Is this possible?

 

3 Replies

In O365, its the domain you set as federated in order to route its authentication to the IDP, which means all users matching that UPN will get redirected to the IDP for authentication- not a per user setting.
However, you can add/verify a new domain in O365, map the POC/SAMLtest group users with the new UPN, and federate this new domain with the IDP- that way their authentication will be handled thru SAML, while all other users will authenticate directly with O365/Azure

@boneyfrancis Thanks for your response.  Yes, I had indeed noticed that it seemed impossible to separate a group of users being they share the same domain.

 

Would you happen to know if there's a demo of what you describe in your answer?  Also, would a user with a remapped UPN continue to communicate via the same email address of the un-federated domain?  I'm trying to make this as transparent as possible to the end user.

 

@ak2766 

 

I'm sure someone would have tried this, but I haven't personally seen any demo/articles on the same. The steps involved would be:

1. Add new MSOL domain in O365 using New-MsolFederatedDomain cmdlet

2. Run Set-MsolDomainFederationSettings to modify the parameters- at a minimum, you'll need ActiveLogOnUri, IssuerUri, LogOffUri, MetadataExchangeUri, PassiveLogOnUri and SigningCertificate parameters from your IDP provider

3. If your user accounts are created directly on O365, modify your UPN to match the newly added domain thru the admin portal or using Set-MsolUserPrincipalName. If your user accounts are managed from on-premise AD and synchronized to O365, you'll need to add a domain suffix in local AD matching the new UPN and then modify your UPN to match the newly added UPN suffix.

4. Now whenever you login to your O365 account, enter your new UPN as Username, and you'll get re-directed to your IDP for authentication. Once the initial tests are successful, you can repeat step-3 for more users as part of POC