Federation for a partial population

Question

Federation for a partial population

Younes AITIFALI 1

Greetings,

I want to know if it is possible to federate the authentication of a partial population that resides on AzureAD, using an external Identity Provider (PingFederate, Okta, ..)

The goal is to test this federation on a pilot population just on AzureAD production, before expanding it to the entire population.

Thank you in advance,

2 answers

Your answer

Answer 1

Dillon Silzer 57,826 Volunteer Moderator

Hi @Younes AITIFALI

To answer your question: Yes.

When you are creating an enterprise application (for external Identity Providers) you will be able to manage who can use the app by assigning users or groups to the application.

Make Azure Active Directory an identity provider (with Okta as example)

https://help.okta.com/en-us/Content/Topics/Provisioning/azure/azure-identify-identity-provider.htm#:~:text=Sign%20in%20to%20the%20Microsoft,left%20menu%20and%20click%20SAML.

After adding Okta as an Azure AD Enterprise Application, assign certain users or groups (population) to the app and only they will be able to use Azure AD SSO.

-----------------------

If this is helpful please mark as correct answer.

Younes AITIFALI 1 Reputation point

2022-08-01T11:16:26.427+00:00

Hello DillonJS,

Thank you for your answer.

I actually want to know if we can delegate the entire authentication to the 3rd party IDP (for that limited population at first), so that access to the applications and services (Office365, Outlook, ..) will be automatically assigned to it.

Regards,
Barry Thompson 0 Reputation points

2023-01-20T19:08:11.6566667+00:00

Those instructions are to set Azure AD as an identity provider to other services. The question was about partially federating with an external IDP. For instance, all of the users use an <username>@contoso.com sign in name. Typically in the past, federation is done at the domain level, so all users with a contoso.com sign name will need to go to the identity provider we set to federate with that domain. So the question is more about whether or not we can take a handful of users all with the contoso.com domain suffix, and have only them get redirected to OneLogin or Okta. The rest of the contoso.com users would still authenticate with Microsoft.

Thanks!

Answer 2

Mark Morowczynski 251 Microsoft Employee

When a domain name is federated, it's for ALL users that have that domain name. I suspect you do not want to change the domain name for some of the users. There is a thing called Stage Rollout [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout which most people use to move OFF federation, But I suspect you could use it in the reverse to achieve your goal.

Share via

Federation for a partial population

2 answers

Your answer