SOLVED
Home

Using AlternateID without ADFS

Palayathar
New Contributor

Dear Experts

 

I have this following situation. Our company has a local AD forest. We have an Office365 tenant with couple subscriptions. Our current UPN is something like  username@olddomain.com. This old domain is not owned by us. Our samAccountName is localdomain\username. Users use UPN to authenticate with local AD.

 

Issue: 

We need to sync our users to Azure AD. The issue is that we will not be able to use our current UPN As we do not own that domain . We will also not be able to use the email address as the email address domain is registered with our parent company and it won't be possible to get the domain in to Azure. We also cannot change the UPN or add a new UPN prefix due to stringent policies. 

 

Suggestions:

 

So we have purchased new domain and verified it with Office365 , say newroutabledomain.com. Now we want all users from our local AD to be synced to the Azure AD using the UPN username@newroutabledomain.com. In order to do this, we are thinking of populating an attribute in local AD with the value username@newroutabledomain.com and use it as an AlternateID using AD Connect tool. Please answer my following questions.

 

Questions:

1) Can I populate an attribute in local AD with the value of username@newroutabledomain.com and use that attribute as alternateID?

2) What is the recommended attribute in AD that could be used to populate username@newroutabledomain.com values and thus use as AlternateID?

2) Is it possible to use AlternateID without implementing ADFS?

 

Thanks in advance

 

3 Replies
Highlighted

1) Yes, that's the whole idea behind AlternateID

2) "mail" is the recommended attribute

3) Yes, Pass-trough authentication also supports AlternateID, AD FS is not a hard requirement. Password has sync also supports it.

Solution

I think you have all the elements you need in place. You can use any attribute as UPN so the configuration very easy (see my blog at http://o365blog.com/post/non-routable-upn/).

 

So, when configuring AAD Connect, choose the attribute containing the "new UPN" for UPN and you're done. Now your users can login to Office 365 using their username@newroutabledomain.com and on-prem password (given that you are using the password-hash-sync).

 

If you also need to use the "new UPN" as an email address, easiest way is to populate that to ProxyAddresses attribute as SMTP:username@newroutabledomain.com.

Thanks a lot to both of you @Vasil Michev and @Nestori Syynimaa. You guys are amazing. I am new to this portal and you made me to believe that this is indeed a helpful site. I managed to use a custom attribute ans mail or Proxyaddress could not be used. It worked like a charm. 

Related Conversations
Yammer Datacenter US/EU
Joseph Demmelmaier in Yammer on
2 Replies
Macro Using a Relative Function for all Sheets
Ana McCorkhill in Excel on
2 Replies
MS Teams real life use cases
Deleted in Microsoft Teams on
6 Replies