This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ADFS SSO - Restrict SSO to a few OU's

Question
0

Sign in to vote

Hi all,

I want to setup ADFS SSO so it only applies to a few OU's. This is being done so staff members can get into Office 365 without having to enter their credentials. All OU's are being sync'd with Directory Services Synchronization tool.

Why restrict it to certain OU?
Some of the users have a shared AD account but use portal.office.com to login to their individual emails.

I understand that ADFS Global Authentication Policy will target every OU that is sync'd to the cloud.

Is there a way to restrict ADFS SSO based on a group membership or IE setting?

Thanks in advance.

Wednesday, December 21, 2016 2:42 PM

Answers

0

Sign in to vote
In the claims rules wizard, there is a tab called "Issuance Authorisation Rules".

You can use this to construct rules that permit or deny access based on the presence or absence of group claims etc.

e.g. Delete the "All" rule.

Add Rule "Permit or Deny User Based on an Incoming Claim".
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, December 26, 2016 4:00 PM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Wednesday, February 15, 2017 6:55 PM
Wednesday, December 21, 2016 6:07 PM