Introduction
For logging into office 365 services, and you are syncing your users from on premises AD via Azure AD Connect, Microsoft has always recommended changing your users UPNs to match their e-mail address. 2 of the main reasons for this are:
- You can not use non routable domains in Azure AD. So domain.local will not work in azure AD.
- Its easier to tell a user to use their e-mail address, than use their UPN. Most users will not know what a UPN is, never mind know what their UPN is without being told.
Most organizations can handle this ok. Most 365 migrations I’ve done in the past, we have been able to update the UPNs with no issue. But what if an organization can’t. Some critical application use UPNs for login and changing will cause issues, or there are just that many applications that finding out what applications use UPNs will just take too long and delay the roll out of 365 services.
There are currently 2 methods of Alternant ID
These 2 options force all users to follow the same login pattern and needs maintained. For example, if you set the login ID to be their mail attribute, then this will affect all users. This might not be a bad thing, but you cannot have some users login using their UPN if they wanted to.
This Post will talk about a new preview feature that will allow users to log in via their e-mail address while not affecting their UPNs.
Sign-in to Azure Active Directory using their assigned e-mail addresses in exchange online as an alternate login ID (preview)
The details for this method are very well detailed in this docs article, so i wont go over all the ins and outs. But i will show you how it worked in my lab.
The first thing you must do is to create a new or modify an existing home realm discovery policy. We will start by checking if a home realm discovery policy already exists.
Get-AzureADPolicy | where-object {$_.Type -eq "HomeRealmDiscoveryPolicy"} | fl *
If this returns blank, we can create a new policy
New-AzureADPolicy -Definition @('{"HomeRealmDiscoveryPolicy" :{"AlternateIdLogin":{"Enabled": true}}}') `
-DisplayName "BasicAutoAccelerationPolicy" `
-IsOrganizationDefault $true `
-Type "HomeRealmDiscoveryPolicy"
Editing an existing policy is detailed in the main docs article.
This method allows sign in by a users e-mail addresses. Or their proxy addresses that you are syncing from AD. In this example, we have a user with a non routable UPN and a routable e-mail address in his proxy address
When synchronised into Azure AD, the user gets an @ulrobinson.onmicrosoft.com sign in address as expected. He gets an e-mail address that matches his proxy address.
This is the important part of this preview feature, you can sign in using this e-mail address. As well as the azure sign in address. Below shows the “stay signed in” message you get after successful login and MFA. Notice the user name of the sign in. This user has 2 usernames to sign into the same account.
Just for fun, i added another proxy address to the user and sign in under this username was also successful
Conclusion
This new feature should remove a blocker if you cant update your UPNs to match SMTP addresses. This blocker can exist for many reasons as mentioned above, but this does not change the recommendations from Microsoft. We still recommend updating UPNs to be routable. There are other features in Azure AD that are not compatible with non routable UPNs. One major one is Azure AD Hybrid Join as detailed at the bottom of this docs article.
So please have a look at this feature and test, you can provide any feedback with links at the bottom of the article here.
Links:
Alternant Login with email. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin
Alternant login via ADFS https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id
Alternant login with AD Connect https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname
Azure AD Hybrid AD Join https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-upn-support-for-hybrid-azure-ad-join
You must log in to post a comment.