Federation for a partial population

Younes AITIFALI 1 Reputation point
2022-07-29T17:24:49.863+00:00

Greetings,

I want to know if it is possible to federate the authentication of a partial population that resides on AzureAD, using an external Identity Provider (PingFederate, Okta, ..)

The goal is to test this federation on a pilot population just on AzureAD production, before expanding it to the entire population.

Thank you in advance,

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,176 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,089 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Dillon Silzer 54,091 Reputation points
    2022-07-29T18:44:12.243+00:00

    Hi @Younes AITIFALI

    To answer your question: Yes.

    When you are creating an enterprise application (for external Identity Providers) you will be able to manage who can use the app by assigning users or groups to the application.

    226248-image.png

    Make Azure Active Directory an identity provider (with Okta as example)

    https://help.okta.com/en-us/Content/Topics/Provisioning/azure/azure-identify-identity-provider.htm#:~:text=Sign%20in%20to%20the%20Microsoft,left%20menu%20and%20click%20SAML.

    After adding Okta as an Azure AD Enterprise Application, assign certain users or groups (population) to the app and only they will be able to use Azure AD SSO.

    -----------------------

    If this is helpful please mark as correct answer.


  2. Younes AITIFALI 1 Reputation point
    2022-08-01T11:16:26.427+00:00

    Hello DillonJS,

    Thank you for your answer.

    I actually want to know if we can delegate the entire authentication to the 3rd party IDP (for that limited population at first), so that access to the applications and services (Office365, Outlook, ..) will be automatically assigned to it.

    Regards,

    0 comments No comments

  3. Mark Morowczynski 251 Reputation points Microsoft Employee
    2023-01-21T01:28:02.87+00:00

    When a domain name is federated, it's for ALL users that have that domain name. I suspect you do not want to change the domain name for some of the users. There is a thing called Stage Rollout [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout which most people use to move OFF federation, But I suspect you could use it in the reverse to achieve your goal.

    0 comments No comments