Forum Discussion

Ben Owens's avatar
Ben Owens
Brass Contributor
Dec 13, 2020

Hybrid Azure AD Join with Alternate Login ID (PHS)

Hello, Could somebody clarify whether Hybrid Azure AD Join is supported when using Alternate Login ID? In this scenario I'm using the Mail attribute to sync/represent the UPN in Azure AD.   The ...
Azure Active Directory (AAD)
Ben Owens's avatar
Ben Owens
Brass Contributor
Dec 14, 2020
Spoiler
 

Ben Owens 

I managed to get clarification for from Microsoft via the Technical Advisor on GitHub.
https://github.com/MicrosoftDocs/azure-docs/pull/49710#issuecomment-744067855

 

The reason I thought this would be supported by Microsoft is that in my lab, a user with a UPN of mailto:john.smith@ad.contoso.com achieved Hybrid Azure AD Join status when accessing M365 via Modern Apps or Browser access.  This is when the UPN suffix is not verified in the tenant.

On closer investigation I found this worked because my AD forest domain was a forest suffix of ad.contoso.com which is a sub domain of contoso.com.  When I ran a home realm discovery using the sun domain, it returns the details of the correct realm.

E.g.

https://login.microsoftonline.com/common/UserRealm/?user=ad.contoso.com&api-version=1.0&checkForMicrosoftAccount=false&fallback_domain=madeupdomainthatdoesntexist.com

 

So in conclusion, if your users on premises UPN suffix is a sub domain of a verified domain in your tenant, (but not verified in Azure AD) I found HAADJ will work.  If you have a .local UPN suffix, you will need to amend the users UPN to work with HAADJ.

 

  • ChristianBergstrom's avatar
    ChristianBergstrom
    Silver Contributor
    Dec 14, 2020
    Great, thanks for the update. Actually read the following just now when doing some searches.

    ”There are other features in Azure AD that are not compatible with non routable UPNs. One major is Azure AD Hybrid Join”

Resources