Only federate some users in AzureAD and not a whole domain

Question

We want to test a new IDP in our organization ( this IDP is an inhouse SAML-compatible idp ). We are using AzureAD.

If we federate a new domain, we can test the authentication, and it works ( xxx@NewDomain.Com).

Now, we want to select some real users from our main domain ( User1@MainDomain.com ), and federate only these users so that they can start testing the idp without interrupting all the other users. Is this possible? Can we federate only some users to use an IDP in AzureAD, or it must be always a whole domain ?

Our goal is to achieve a gradual migration of the users, so that we can fix eventual first bugs with minimal impact.

score 0 · Answer 1 · answered May 07 '22 at 08:33

0

Doesn't look like you can, refer to the MS docs for more info here: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation

answered May 07 '22 at 08:33

Noor Khaldi

3,869
3
19
28

score 0 · Answer 2 · answered Aug 12 '22 at 15:23

You should be able to if your on-premises Active Directory accounts use different UPN suffixes for federated logons. Configure your other users to use a different form of authentication such as Single-sign on, pass-through authentication, or simple password sync.

Only federate some users in AzureAD and not a whole domain

2 Answers2