When a domain name is federated, it's for ALL users that have that domain name. I suspect you do not want to change the domain name for some of the users. There is a thing called Stage Rollout [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout which most people use to move OFF federation, But I suspect you could use it in the reverse to achieve your goal.
Federation for a partial population
Greetings,
I want to know if it is possible to federate the authentication of a partial population that resides on AzureAD, using an external Identity Provider (PingFederate, Okta, ..)
The goal is to test this federation on a pilot population just on AzureAD production, before expanding it to the entire population.
Thank you in advance,
3 answers
Sort by: Newest
-
Mark Morowczynski 251 Reputation points Microsoft Employee
2023-01-21T01:28:02.87+00:00 -
Younes AITIFALI 1 Reputation point
2022-08-01T11:16:26.427+00:00 Hello DillonJS,
Thank you for your answer.
I actually want to know if we can delegate the entire authentication to the 3rd party IDP (for that limited population at first), so that access to the applications and services (Office365, Outlook, ..) will be automatically assigned to it.
Regards,
-
Dillon Silzer 54,471 Reputation points
2022-07-29T18:44:12.243+00:00 To answer your question: Yes.
When you are creating an enterprise application (for external Identity Providers) you will be able to manage who can use the app by assigning users or groups to the application.
Make Azure Active Directory an identity provider (with Okta as example)
After adding Okta as an Azure AD Enterprise Application, assign certain users or groups (population) to the app and only they will be able to use Azure AD SSO.
-----------------------
If this is helpful please mark as correct answer.