Forum Discussion
Re: Is it possible to disallow proxyAddress as Sign-In Identifier?
brahm415 Hello and welcome to the community 😊
Unfortunately, at this time, Microsoft Entra ID does not offer a native option to completely prevent the use of email addresses (proxyAddresses) for authentication. The default behavior allows users to log in with either UPN or any email address registered as a proxyAddress. There is no direct option or policy to disable this behavior.
However, you could make sure that UPN and proxyAddresses are different.
Check that the format of the User Principal Name (UPN) is different from the user's email address (proxyAddresses). If UPN and email match, Microsoft Entra ID will allow access using both.
One idea might be to change the format of UPNs so that they do not contain the email address, such as using an internal identifier (e.g., a user ID) instead of email address removed for privacy reasons.
This would make it more difficult for users to log in using the email address, since they would have to use a different UPN.
1 Reply
Thank you for your quick reply,micheleariis! 😊
Our plan was to switch from UPNs that match the users email address to a user ID (eg. u2784 [at] contoso.com) and a separate email address (eg. j.doe [at] contoso.com) as a security measure. If Microsoft Entra ID allows users to sign in using their UPN or email address, my main argument for switching to this new naming scheme is going up in smoke. 🔥
