I setup an Azure Enterprise Application for use with a test SaaS cloud offering recently. Everything was working fine with users who were part of a test security group I created. Any of the users who were apart of the group would get the Azure login and those who were not would be redirected back to our on-prem ADFS. That was the expected behavior. When it came time to broaden the permissions for all users I removed the test group and added the dynamic group "All Users" to the Users and Groups permissions of the application. It didn't seem to work for a test account I had, but it would work for any of the users I had in the test security group that previously had permissions. I'm not sure why, so I ended up stripping all permissions from the application and tried to login the next morning thinking no matter which account I used I would be forced to use our ADFS login, but that wasn't the case. My normal account would get the Azure login prompt, but my test account would be directed to ADFS. It acts as if the test security group is the de facto authority for who gets the Azure login. Can anyone explain to me what is going on and why it behaves like that?