Skip to content

Azure Cloud & AI Blog

by the Azure Cloud & AI team at Microsoft

Azure AD Alternate Login ID – Use your e-mail address (preview).

parobinmicrosoft Active Directory, Azure, Identity, Office365, PowerShell June 4, 2020June 4, 2020 3 Minutes

Introduction

For logging into office 365 services, and you are syncing your users from on premises AD via Azure AD Connect, Microsoft has always recommended changing your users UPNs to match their e-mail address. 2 of the main reasons for this are:

  1. You can not use non routable domains in Azure AD. So domain.local will not work in azure AD.
  2. Its easier to tell a user to use their e-mail address, than use their UPN. Most users will not know what a UPN is, never mind know what their UPN is without being told.

Most organizations can handle this ok. Most 365 migrations I’ve done in the past, we have been able to update the UPNs with no issue. But what if an organization can’t. Some critical application use UPNs for login and changing will cause issues, or there are just that many applications that finding out what applications use UPNs will just take too long and delay the roll out of 365 services.

There are currently 2 methods of Alternant ID

  1. Via ADFS
  2. Via Azure AD Connect

These 2 options force all users to follow the same login pattern and needs maintained. For example, if you set the login ID to be their mail attribute, then this will affect all users. This might not be a bad thing, but you cannot have some users login using their UPN if they wanted to.

This Post will talk about a new preview feature that will allow users to log in via their e-mail address while not affecting their UPNs.

Sign-in to Azure Active Directory using their assigned e-mail addresses in exchange online as an alternate login ID (preview)

The details for this method are very well detailed in this docs article, so i wont go over all the ins and outs. But i will show you how it worked in my lab.

The first thing you must do is to create a new or modify an existing home realm discovery policy. We will start by checking if a home realm discovery policy already exists. 

Get-AzureADPolicy | where-object {$_.Type -eq "HomeRealmDiscoveryPolicy"} | fl *

If this returns blank, we can create a new policy

New-AzureADPolicy -Definition @('{"HomeRealmDiscoveryPolicy" :{"AlternateIdLogin":{"Enabled": true}}}') `
    -DisplayName "BasicAutoAccelerationPolicy" `
    -IsOrganizationDefault $true `
    -Type "HomeRealmDiscoveryPolicy"

Editing an existing policy is detailed in the main docs article.

This method allows sign in by a users e-mail addresses. Or their proxy addresses that you are syncing from AD. In this example, we have a user with a non routable UPN and a routable e-mail address in his proxy address

When synchronised into Azure AD, the user gets an @ulrobinson.onmicrosoft.com sign in address as expected. He gets an e-mail address that matches his proxy address.

This is the important part of this preview feature, you can sign in using this e-mail address. As well as the azure sign in address. Below shows the “stay signed in” message you get after successful login and MFA. Notice the user name of the sign in. This user has 2 usernames to sign into the same account.

Just for fun, i added another proxy address to the user and sign in under this username was also successful

Conclusion

This new feature should remove a blocker if you cant update your UPNs to match SMTP addresses. This blocker can exist for many reasons as mentioned above, but this does not change the recommendations from Microsoft. We still recommend updating UPNs to be routable. There are other features in Azure AD that are not compatible with non routable UPNs. One major one is Azure AD Hybrid Join as detailed at the bottom of this docs article.

So please have a look at this feature and test, you can provide any feedback with links at the bottom of the article here.

Links:

Alternant Login with email. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin

Alternant login via ADFS https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

Alternant login with AD Connect https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname

Azure AD Hybrid AD Join https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-upn-support-for-hybrid-azure-ad-join

Authors

  • parobinmicrosoft
Share This Post
  • Facebook
  • Twitter
  • Linkedin
  • Reddit
  • email
  • Tagged
  • Active Directory
  • Alternate Login
  • Azure AD
  • Azure AD Connect
  • Azure sign in address
  • Non routable UPN
  • routeable upn
Published June 4, 2020June 4, 2020

Post navigation

Previous Post Creating an Azure Sentinel Taskbar and Start Menu Shortcut and Icon for Quick Access
Next Post Deploy Configuration Manager Client through Intune, namely Autopilot…

You must log in to post a comment.

Search This Blog

Categories

  • Active Directory
  • ATA/ATP
  • Azure
  • Azure Sentinel
  • BI and Analytics
  • DevOps
  • Failover Clustering
  • GroupPolicy
  • Hyper-V
  • Identity
  • Intune
  • KMS
  • Office365
  • OMS
  • Performance
  • PowerShell
  • Security
  • Soft Skills
  • System Center
  • Uncategorized
  • Windows
  • WSUS
  • WVD

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

About

  • Contact Us
  • Disclaimer