© 2021 www.richardwalz.com
Richard Walz
All rights reserved.

How to allow only users of a specific AD group to connect to an ADFS IDP in 2012R2

If you are still using 2012R2 for ADFS and not in a position to leverage Access Control Policies you can leverage the Group SID setting in order to allow the specific group of users you want to authenticate to the IDP.


  1. Right click and select “Properties” of the IDP you want to edit.
  2. Select the “Issuance Authorization Rules” tab
  3. Select add new rule and select ” Group SID (Browse)”, choose the group you want to use.
  4. If exists, remove permit all rule thereafter

While this does work, existing SSO/SAML sessions may take a few hours to expire if this was just implemented. Access Control Policies are easier to use and can be combined with various conditions without needing to resort to complex syntax operations.