Forum Discussion
Solved
Is it possible to disallow proxyAddress as Sign-In Identifier?
As part of a revised naming scheme for user accounts we're planning to roll out, I'd like to disallow Exchange Online email addresses and proxyAddresses from being used instead of the User Principal Name as an alternative identifier when users sign in to their accounts. This is supposed to strengthen security as users don't share one of the authentication factors with every email they send and the user names can't be easily guessed because they don't use the actual first or last name of the user behind them.
This is the only Microsoft Learn article I found that was describing something similar:
Basically I want to do the opposite of what the article is describing and I'm not synching my users using Microsoft Entra Connect. I disabled the "Email as alternate login ID" option described in the article anyways but unsurprisingly, that didn't have the desired effect.
Does anyone know if this is even possible and if so, how to do it?
Thanks in advance!
This is my first post in this community. If I did something wrong (like choosing the wrong label) please be kind, tell me, and I'm going to adapt my post.
brahm415 Hello and welcome to the community 😊
Unfortunately, at this time, Microsoft Entra ID does not offer a native option to completely prevent the use of email addresses (proxyAddresses) for authentication. The default behavior allows users to log in with either UPN or any email address registered as a proxyAddress. There is no direct option or policy to disable this behavior.
However, you could make sure that UPN and proxyAddresses are different.
Check that the format of the User Principal Name (UPN) is different from the user's email address (proxyAddresses). If UPN and email match, Microsoft Entra ID will allow access using both.
One idea might be to change the format of UPNs so that they do not contain the email address, such as using an internal identifier (e.g., a user ID) instead of email address removed for privacy reasons.
This would make it more difficult for users to log in using the email address, since they would have to use a different UPN.
brahm415 Hello and welcome to the community 😊
Unfortunately, at this time, Microsoft Entra ID does not offer a native option to completely prevent the use of email addresses (proxyAddresses) for authentication. The default behavior allows users to log in with either UPN or any email address registered as a proxyAddress. There is no direct option or policy to disable this behavior.
However, you could make sure that UPN and proxyAddresses are different.
Check that the format of the User Principal Name (UPN) is different from the user's email address (proxyAddresses). If UPN and email match, Microsoft Entra ID will allow access using both.
One idea might be to change the format of UPNs so that they do not contain the email address, such as using an internal identifier (e.g., a user ID) instead of email address removed for privacy reasons.
This would make it more difficult for users to log in using the email address, since they would have to use a different UPN.Thank you for your quick reply,micheleariis! 😊
Our plan was to switch from UPNs that match the users email address to a user ID (eg. u2784 [at] contoso.com) and a separate email address (eg. j.doe [at] contoso.com) as a security measure. If Microsoft Entra ID allows users to sign in using their UPN or email address, my main argument for switching to this new naming scheme is going up in smoke. 🔥
