I'm looking into using Azure AD for SSO to Box. Is there any way to prevent Azure AD from letting everyone with an Azure AD account sign in to Box?
A few more details...
We have Azure AD through our Educational Office 365 licensing. This appears to give us the Azure AD "Free" features and some, but not all, of the "Basic" features. If we need "Premium" to limit who can access Box we might be able
to purchase that.
I've configured Azure AD SSO for Box using these instructions
https://msdn.microsoft.com/en-us/library/azure/dn308589.aspx
and SSO is working just fine. SSO works for anyone with an Azure AD account who also has a Box account that matches the Azure AD email address. Even if access to Box hasn't been enabled in Azure AD for the user the SSO still lets them in to Box. This is nice
because it "just works" without extra configuration but we give Azure AD accounts to some people who we don't want to allow to access Box. Is there any way to configure Azure AD to not allow someone access to Box?
Sure, we could just not create an account for them in Box and then they couldn't get in, but we are considering turning on Box auto-provisioning, so anyone who can authenticate would get an account. We really need Azure AD to deny access to Box for some people.
We could also delete the Azure AD account or disable it to keep someone from accessing Box, but that isn't an option for us either. These people need Azure AD accounts for Office 365.
Is there any way to configure Azure AD to not allow someone SSO access to Box?
Thanks in advance for your help.