Forum Discussion

brahm415's avatar
brahm415
Copper Contributor
Oct 18, 2024
Solved

Is it possible to disallow proxyAddress as Sign-In Identifier?

As part of a revised naming scheme for user accounts we're planning to roll out, I'd like to disallow Exchange Online email addresses and proxyAddresses from being used instead of the User Principal ...
Azure Active Directory (AAD)
Azure AD B2B
Identity Management
  • micheleariis's avatar
    micheleariis
    Oct 18, 2024

    brahm415 Hello and welcome to the community ğŸ˜Š

     

    Unfortunately, at this time, Microsoft Entra ID does not offer a native option to completely prevent the use of email addresses (proxyAddresses) for authentication. The default behavior allows users to log in with either UPN or any email address registered as a proxyAddress. There is no direct option or policy to disable this behavior.
    However, you could make sure that UPN and proxyAddresses are different.
    Check that the format of the User Principal Name (UPN) is different from the user's email address (proxyAddresses). If UPN and email match, Microsoft Entra ID will allow access using both.
    One idea might be to change the format of UPNs so that they do not contain the email address, such as using an internal identifier (e.g., a user ID) instead of email address removed for privacy reasons.
    This would make it more difficult for users to log in using the email address, since they would have to use a different UPN.

micheleariis's avatar
micheleariis
MCT
Oct 18, 2024

brahm415 Hello and welcome to the community ğŸ˜Š

 

Unfortunately, at this time, Microsoft Entra ID does not offer a native option to completely prevent the use of email addresses (proxyAddresses) for authentication. The default behavior allows users to log in with either UPN or any email address registered as a proxyAddress. There is no direct option or policy to disable this behavior.
However, you could make sure that UPN and proxyAddresses are different.
Check that the format of the User Principal Name (UPN) is different from the user's email address (proxyAddresses). If UPN and email match, Microsoft Entra ID will allow access using both.
One idea might be to change the format of UPNs so that they do not contain the email address, such as using an internal identifier (e.g., a user ID) instead of email address removed for privacy reasons.
This would make it more difficult for users to log in using the email address, since they would have to use a different UPN.

  • brahm415's avatar
    brahm415
    Copper Contributor
    Oct 21, 2024

    Thank you for your quick reply,micheleariis! 😊

    Our plan was to switch from UPNs that match the users email address to a user ID (eg. u2784 [at] contoso.com) and a separate email address (eg. j.doe [at] contoso.com) as a security measure. If Microsoft Entra ID allows users to sign in using their UPN or email address, my main argument for switching to this new naming scheme is going up in smoke. 🔥

Resources