I just implemented an ADFS server to connect a third-party chat tool with our Active Directory via SAML 2.0.

Everything works fine so far but there's a little problem: As soon as a user logs in, the chat tool creates an account for him automatically. That's a problem because every account causes fees.

Is there any way to restrict the ADFS usage to an AD Group?

  • 431
  • 1
  • 4
  • 9

1 Answers1


This can be done by adding a so-called Issuance Authorization Rule.


  • Open AD FS Management Center
  • Expand Trust Relationsships
  • Select Relying Party Trusts
  • Right click the required trust
  • Click Edit Claim Rules
  • Goto the Issuance Authorization Rules tab
  • Delete the default Permit Access To All Users rule
  • Click Add Rule
  • Select Permit or Deny Users Based on an Incoming Claim
  • Incoming Claim Type, select Group SID
  • Click Browse at Incoming claim value
  • Select the required group
  • You're done
  • 143
  • 8
  • 431
  • 1
  • 4
  • 9