Bypassing SSO with Office365 for email only users.

Hi Running ADFS 2.0 with dirsync with SSO (to only the domain).

This company also uses alot of contractors who only need email - and no domain authentication.
Unfortunately - anything going to the domain goes through SSO and needs a domain login - however they wish for them not to have domain access.

Is there a possible way to bypass SSO  so i can create these users without giving them access to the domain (i.e a login to the domain) so they can be email only.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
Yes. You can create mailboxes that use your domain. If you create a new mailbox, you can select the email domain that is applied to it in O365. (Create the mailbox in O365, not in AD) When given the option, select as the domain and that mailbox will not use ADFS for logon. This will be their reply to email, and they won't be able to use your Federated domain name for their login, but you maybe be able to reassign your email address as the reply address for those mailboxes.
zejburtonAuthor Commented:
Hey acBrown, thats what i ultimately ended up recommending to the customer in this instance anyway as my original idea.  I have just added the SMTP alias as a and set it as reply through powershell.

It would be cool to see if there is a work around for this though - as i'm sure the helpdesk guys will probably be getting calls when theyre getting asked for logins. Oh well! security innit.

Adam BrownSr Solutions ArchitectCommented:
There's not a good workaround, really. You could potentially set things up so the accounts are in AD, but have access to nothing but themselves, but that could get twitchy and difficult to configure, since you have to deal with Deny permissions and those are a headache at times.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zejburtonAuthor Commented:
Yep exactly.

Just going to write a flashy new user script for this :>

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.