ADFS SSO - Restrict SSO to a few OU's RRS feed

  • Question

  • Hi all,

    I want to setup ADFS SSO so it only applies to a few OU's. This is being done so staff members can get into Office 365 without having to enter their credentials. All OU's are being sync'd with Directory Services Synchronization tool. 

    Why restrict it to certain OU?
    Some of the users have a shared AD account but use portal.office.com to login to their individual emails. 

    I understand that ADFS Global Authentication Policy will target every OU that is sync'd to the cloud.

    Is there a way to restrict ADFS SSO based on a group membership or IE setting? 

    Thanks in advance. 

    Wednesday, December 21, 2016 2:42 PM


  • In the claims rules wizard, there is a tab called "Issuance Authorisation Rules".

    You can use this to construct rules that permit or deny access based on the presence or absence of group claims etc.

    e.g. Delete the "All" rule.

    Add Rule "Permit or Deny User Based on an Incoming Claim".

    Wednesday, December 21, 2016 6:07 PM