Enable user-friendly sign-in to Azure AD with email as an alternate login ID

Published Jul 13 2020 09:00 AM 42.4K Views

Howdy folks,

 

Today we’re announcing the public preview of the ability to sign-in to Azure AD with email in addition to UPN (UserPrincipalName). In organizations where email and UPN are not the same, it can be confusing for users when they can't use their familiar email address to sign-in. With this preview capability, you can enable your users to sign in with either their UPN or their email address, helping them avoid this confusion.

 

This feature can be enabled by setting the AlternateIdLogin attribute in the HomeRealmDiscoveryPolicy. Please use the instructions in our documentation to set this up in your organization.

 

Some customers are using capabilities in Azure Active Directory (Azure AD) Connect to achieve this today, but that requires them to set the email address as the UPN in Azure AD. With this preview capability, you can now use the same UPN across on-premises Active Directory and Azure AD to achieve the best compatibility across Office 365 and other workloads, while still allowing your users to sign in with either their UPN or email, further simplifying their experience.

 

We hope this change simplifies the sign-in experience for your end users.

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum. 


Stay safe and be well,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

47 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1519501%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1519501%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15847%22%20target%3D%22_blank%22%3E%40Alex%3C%2FA%3E%3C%2FP%3E%3CP%3ECool!!!%20much%20awaited%20feature...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20f%20I%20use%20UPN%20to%20sync%20my%20users%20but%20their%20SMTP%20is%20different%2C%20still%20my%20users%20can%20login%20to%20azure%2Foffice%20365%20with%20their%20SMTP%20email%20id%2C%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20I%20must%20sync%20my%20email%20domain%20to%20accomplish%20this%20or%20just%20verify%20the%20domain%20in%20office%20365%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520134%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520134%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20news!%20It's%20always%20good%20to%20make%20user's%20lives%20easier%20and%20simplified!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520153%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520153%22%20slang%3D%22en-US%22%3E%3CP%3EAgreed%20much%20awaited%20feature.%20Thanks%20for%20making%20it%20happen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520636%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520636%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Alex%2C%20does%20this%20function%20work%20when%20logging%20in%20O365%20connected%20workstations%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520802%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520802%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20nice%20feature%2C%20but%20in%20our%20azuread%20%2C%20our%20primary%20email%20addresses%20on%20users%20are%20very%20long%20and%20are%20generated%20based%20on%20user%20full%20names%20for%20users%20its%20more%20convenient%20to%20login%20with%20UPN%20which%20is%20based%20on%20users'%20usernames.%20It%20would%20be%20cool%20if%20all%20Microsoft%20login%20screen%20text%20should%20say%20%22username%22%20not%20an%20email%20address%20to%20log%20in%2C%20which%20would%20help%20users%20following%20company's%20internal%20username%20policy%26nbsp%3B%20(email%20or%20UPN)%20to%20login%20to%20the%20cloud%20services.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520893%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520893%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20releasing%20this%20AAD%20Team!%20It%20is%20huge%20for%20companies%20that%20do%20not%20have%20matching%20UPNs%20and%20email%20addresses.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520924%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520924%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15847%22%20target%3D%22_blank%22%3E%40Alex%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20great%20news%20and%20will%20benefit%20many%20of%20us.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20implemented%20this%20in%20a%20non-production%20environment%20yesterday%2C%20on%20the%20whole%20it%20went%20well.%20However%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20was%20also%20a%20delay%20of%20upwards%2020%20minutes%20from%20creating%20the%20policy%20to%20seeing%20the%20change%20in%20behaviour.%20If%20this%20is%20expected%20then%20it%20would%20be%20helpful%20if%20the%20documentation%20reflected%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521139%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521139%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20need%20this%20as%20we%20are%20doing%20a%20domain%20migration%20but%20are%20affected%20by%20duplicate%20UPNs%20in%20both%20domains%20which%20blocks%20domain%20trust%20routing.%26nbsp%3B%20This%20feature%20will%20allow%20us%20to%20change%20the%20UPN%20in%20one%20domain%20and%20then%20use%20email%20to%20log%20into%20Azure%2FOffice365.%26nbsp%3B%20when%20will%20this%20be%20GA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521590%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521590%22%20slang%3D%22en-US%22%3E%3CP%3EKeeping%20the%20sign-on%20ID%20separate%20from%20the%20email%20address%20is%20better%20from%20a%20security%20perspective%20IMO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20organization%20is%20frequently%20the%20target%20of%20password%20guessing%20attacks%2C%20with%20email%20addresses%20used%20for%20the%20login%20name.%20%26nbsp%3BKeeping%20the%20%22private%22%20sign-in%20ID%20separate%20from%20your%20%22public%22%20email%20address%20adds%20another%20layer%20of%20protection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521730%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521730%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%26nbsp%3B%2C%20we've%20implemented%20this%20new%20policy%20as%20per%20the%20instructions%20and%20we%20have%20checked%20the%20three%20boxes%20for%20troubleshooting%2C%20but%20still%20not%20operating.%20Since%20this%20is%20public%20preview%2C%20is%20there%20someone%20we%20can%20talk%20to%20for%20troubleshooting%20or%20discussing%20further%3F%20Or%20should%20we%20attempt%20to%20open%20a%20ticket%20on%20this%2C%20or%20just%20wait%20and%20try%20again%20later%3F%26nbsp%3B%20After%20typing%20the%20new%20identifier%20(alternate%20ID%2Fproxy%20address)%20in%20the%20AAD%20username%20field%2C%20it%20responds%20with%20%22This%20username%20may%20be%20incorrect.%20Make%20sure%20you%20typed%20it%20correctly.%20Otherwise%2C%20contact%20your%20admin.%22%20This%20is%20with%20an%20alternate%20email%20address%20suffix%20that%20is%20a%20verified%20domain%20in%20our%20AAD%20tenant%20setup%2C%20so%20I%20believe%20we%20have%20everything%20we%20needed%20for%20this.%20Would%20there%20be%20a%20delay%20of%20any%20kind%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVery%20excited%20about%20this%20new%20feature%2C%20many%20thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521763%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521763%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20my%20post%20above%2C%20it%20is%20now%20working%2C%20so%20it%20looks%20like%20there%20was%20just%20some%20delay%20in%20implementation%20(30-35%20minutes)%20for%20future%20adventurers%20that%20might%20be%20looking%20through%20these%20threads%20for%20input.%20%3A)%3C%2Fimg%3E%20It%20was%20a%20super%20simple%20change%2C%20just%20took%20a%20small%20amount%20of%20time%20(would%20recommend%20to%20update%20documentation%20-%20I'll%20comment%20on%20that%20article%20as%20well).%26nbsp%3B%20Thanks%20again%2C%20such%20a%20great%20feature!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522870%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522870%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728378%22%20target%3D%22_blank%22%3E%40nateweso%3C%2FA%3E%2C%20using%20email%20addresses%20as%20login%20names%20has%20always%20been%20a%20stupid%20idea%20and%20a%20big%20security%20hole.%20Now%20malicious%20attacks%20need%20simply%20to%20use%20easily%20accessible%20or%20leaked%20email%20addresses%20to%20spray%20attack%20looking%20for%20vulnerable%20accounts.%20Way%20to%20go%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522321%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40291%22%20target%3D%22_blank%22%3E%40Abdul%20Farooque%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CEM%3ESo%20If%20I%20use%20UPN%20to%20sync%20my%20users%20but%20their%20SMTP%20is%20different%2C%20still%20my%20users%20can%20login%20to%20azure%2Foffice%20365%20with%20their%20SMTP%20email%20id%2C%20right%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EYes%2C%20users%20will%20have%20the%20option%20to%20use%20UPN%20or%20SMTP%20Proxy%20Address.%20Which%20ever%20is%20easiest%20for%20the%20user.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EDo%20I%20must%20sync%20my%20email%20domain%20to%20accomplish%20this%20or%20just%20verify%20the%20domain%20in%20office%20365%20%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EYou%20would%20need%20to%20verify%20the%20domain%20in%20Azure%20AD%20for%20the%20Proxy%20address%20to%20by%20synced%20to%20the%20user%20object.%3C%2FP%3E%0A%3CP%3ETo%20get%20a%20full%20list%20of%20requirements%20and%20limitations%20review%20our%20docs%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-use-email-signin%23synchronize-sign-in-email-addresses-to-azure-ad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-use-email-signin%23synchronize-sign-in-email-addresses-to-azure-ad%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572685%22%20target%3D%22_blank%22%3E%40patrick410%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3Edoes%20this%20function%20work%20when%20logging%20in%20O365%20connected%20workstations%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EI%20will%20provide%20an%20update%20on%20this%20question.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F706120%22%20target%3D%22_blank%22%3E%40belaie%3C%2FA%3E%26nbsp%3B%3CEM%3E%26nbsp%3B-%20It%20would%20be%20cool%20if%20all%20Microsoft%20login%20screen%20text%20should%20say%20%22username%22%20not%20an%20email%20address%20to%20log%20in%2C%20which%20would%20help%20users%20following%20company's%20internal%20username%20policy%26nbsp%3B%20(email%20or%20UPN)%20to%20login%20to%20the%20cloud%20services.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20great%20suggestions%20for%20us%20to%20consider%2C%20would%20love%20for%20you%20to%20add%20this%20suggestion%20to%20our%20user%20voice%20%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F727991%22%20target%3D%22_blank%22%3E%40hobbycat%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CEM%3EHowever%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EI%20will%20provide%20an%20update%20on%20this%20question.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EThere%20was%20also%20a%20delay%20of%20upwards%2020%20minutes%20from%20creating%20the%20policy%20to%20seeing%20the%20change%20in%20behaviour.%20If%20this%20is%20expected%20then%20it%20would%20be%20helpful%20if%20the%20documentation%20reflected%20this.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EYes%2C%20this%20is%20expected%20to%20take%20up%20to%201%20hour%20to%20see%20expected%20behavior.%20We%20will%20update%20our%20documentation%20to%20include%20this%20note.%20thank%20you%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728228%22%20target%3D%22_blank%22%3E%40pmahlmann%3C%2FA%3E%26nbsp%3B%20-%20%3CEM%3EThis%20feature%20will%20allow%20us%20to%20change%20the%20UPN%20in%20one%20domain%20and%20then%20use%20email%20to%20log%20into%20Azure%2FOffice365.%26nbsp%3B%20when%20will%20this%20be%20GA.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EWe%20are%20looking%20to%20get%20a%20much%20customer%20feedback%20during%20preview%20before%20going%20GA.%20We%20do%20not%20have%20a%20target%20date%20currently.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5180%22%20target%3D%22_blank%22%3E%40Chris%20Smith%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EIt%20was%20a%20super%20simple%20change%2C%20just%20took%20a%20small%20amount%20of%20time%20(would%20recommend%20to%20update%20documentation%20-%20I'll%20comment%20on%20that%20article%20as%20well).%26nbsp%3B%20Thanks%20again%2C%20such%20a%20great%20feature!%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20the%20feedback%2C%20will%20be%20adding%20this%20to%20our%20documentation.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJoey%20Cruz%20-%20Program%20Manager%20-%20Identity%20Engineering%20Team%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1544308%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1544308%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20the%20new%20change%20will%20affect%20MFA%20registered%20for%20a%20user%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554194%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554194%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15060%22%20target%3D%22_blank%22%3E%40Alexey%20Goncharov%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EHow%20the%20new%20change%20will%20affect%20MFA%20registered%20for%20a%20user%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20will%20not%20affect%20MFA%20registration%2C%20users%20will%20be%20able%20to%20go%20through%20the%20same%20registration%20flow.%20Once%20the%20users%20signs-in%2C%20the%20user%20will%20see%20their%20UPN%20in%20the%20registration%20flow%20and%20in%20the%20Authenticator%20App%20(if%20registered).%20We%20will%20make%20note%20in%20the%20documentation%20to%20include%20a%20note.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554274%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554274%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20update%20on%20the%20behaviour%20described%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F727991%22%20target%3D%22_blank%22%3E%40hobbycat%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%26nbsp%3B%3CEM%3EHowever%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FEM%3E%3C%2FP%3E%3CP%3EI%20will%20provide%20an%20update%20on%20this%20question.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20faced%20the%20same%20issue.%20EMail%20address%20takes%20precedence%20over%20UPN.%20Is%20this%20expected%3F%20Can%20that%20be%20changed%3F%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22lia-message-author-rank%20lia-component-author-rank%20lia-component-message-view-widget-author-rank%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554407%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554407%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E.%20So%2C%20if%20I%20understood%20it%20correctly%2C%20the%20Authenticator%20app%20and%20FIDO2%20token%20registered%20as%202FA%20for%20a%20user%2C%20will%20%26nbsp%3Bto%20leverage%20a%20UPN%20of%20an%20account%2C%20rather%20than%20one%20of%20the%20smtp%20aliases%20used%20by%20a%20user%20for%20authentication%2C%20right%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554546%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554546%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F677871%22%20target%3D%22_blank%22%3E%40AndreasMarx%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EI%20faced%20the%20same%20issue.%20EMail%20address%20takes%20precedence%20over%20UPN.%20Is%20this%20expected%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWill%20follow%20up%20for%20clarification.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15060%22%20target%3D%22_blank%22%3E%40Alexey%20Goncharov%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E.%20So%2C%20if%20I%20understood%20it%20correctly%2C%20the%20Authenticator%20app%20and%20FIDO2%20token%20registered%20as%202FA%20for%20a%20user%2C%20will%20%26nbsp%3Bto%20leverage%20a%20UPN%20of%20an%20account%2C%20rather%20than%20one%20of%20the%20smtp%20aliases%20used%20by%20a%20user%20for%20authentication%2C%20right%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECorrect%2C%20the%20UPN%20will%20be%20used.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1257366%22%20slang%3D%22en-US%22%3EEnable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257366%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EToday%20we%E2%80%99re%20announcing%20the%20public%20preview%20of%20the%20ability%20to%20sign-in%20to%20Azure%20AD%20with%20email%20in%20addition%20to%20UPN%20(UserPrincipalName).%20%3C%2FSPAN%3EIn%20organizations%20where%20email%20and%20UPN%20are%20not%20the%20same%2C%20it%20can%20be%20confusing%20for%20users%20when%20they%20can't%20use%20their%20familiar%20email%20address%20to%20sign-in.%3CSPAN%3E%20With%20this%20preview%20capability%2C%20you%20can%20enable%20your%20users%20to%20sign%20in%20with%20either%20their%20UPN%20or%20their%20email%20address%2C%20helping%20them%20avoid%20this%20confusion.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20feature%20can%20be%20enabled%20by%20setting%20the%20AlternateIdLogin%20attribute%20in%20the%20HomeRealmDiscoveryPolicy.%20Please%20use%20the%20instructions%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-use-email-signin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%20to%20set%20this%20up%20in%20your%20organization.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ESome%20customers%20are%20using%20capabilities%20in%20Azure%20Active%20Directory%20(Azure%20AD)%20Connect%20to%20achieve%20this%20today%2C%20but%20that%20requires%20them%20to%20set%20the%20email%20address%20as%20the%20UPN%20in%20Azure%20AD.%20With%20this%20preview%20capability%2C%20you%20can%20now%20use%20the%20same%20UPN%20across%20on-premises%20Active%20Directory%20and%20Azure%20AD%20to%20achieve%20the%20best%20compatibility%20across%20Office%20365%20and%20other%20workloads%2C%20while%20still%20allowing%20your%20users%20to%20sign%20in%20with%20either%20their%20UPN%20or%20email%2C%20further%20simplifying%20their%20experience.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20hope%20this%20change%20simplifies%20the%20sign-in%20experience%20for%20your%20end%20users.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20may%20have.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%3EAzure%20AD%20feedback%20forum%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EStay%20safe%20and%20be%20well%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(-ERR%3AREF-NOT-FOUND-%40Alex_A_Simons)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22M365CO19_ENT_surfacePro6_1535_ID.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F205055i07E3F7C16683CD1B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22M365CO19_ENT_surfacePro6_1535_ID.jpg%22%20alt%3D%22M365CO19_ENT_surfacePro6_1535_ID.jpg%22%20%2F%3E%3C%2FSPAN%3EYour%20journey%20to%20cloud%20authentication%20is%20now%20even%20easier.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257366%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1568829%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1568829%22%20slang%3D%22en-US%22%3E%3CP%3Enice%2C%20thanks%20MS.%3C%2FP%3E%3CP%3ERegarding%20the%20security%20part%2C%20I%20think%20its%20pretty%20easy%20to%20spray%20and%20guess%20internal%20usernames%20of%20a%20company%20from%20attacker's%20perspective.%20The%20benefits%20probably%20out%20weight%20the%20cons%20for%20an%20org.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1579270%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F727991%22%20target%3D%22_blank%22%3E%40hobbycat%3C%2FA%3E%3CSPAN%3E%26nbsp%3B-%26nbsp%3B%3C%2FSPAN%3E%3CEM%3EHowever%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%40AndreasMarx%26nbsp%3B%20-%26nbsp%3B%3CEM%3EI%20faced%20the%20same%20issue.%20EMail%20address%20takes%20precedence%20over%20UPN.%20Is%20this%20expected%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F677871%22%20target%3D%22_blank%22%3E%40AndreasMarx%3C%2FA%3E%26nbsp%3BThis%20is%20expected%20behavior.%26nbsp%3B%20Having%20duplicate%20ProxyAddress%20or%20UserPrincipalsNames%20will%20be%20surfaced%20in%20the%20Connect%20Health%20dashboard.%20We%20recommend%20reviewing%20the%20following%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-health-diagnose-sync-errors%23a-common-scenario%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-health-diagnose-sync-errors%23a-common-scenario%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592273%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592273%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20we%20get%20the%20same%20feature%20in%20ADFS%20for%20federated%20domains%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1600354%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1600354%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692076%22%20target%3D%22_blank%22%3E%40RickardD%3C%2FA%3E%26nbsp%3B%20-%3CEM%3E%26nbsp%3BCan%20we%20get%20the%20same%20feature%20in%20ADFS%20for%20federated%20domains%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EADFS%20offer%20the%20ability%20to%20use%20Alt-id%2C%20we%20recommend%20reviewing%20the%20following%20documentation%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfiguring-alternate-login-id%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfiguring-alternate-login-id%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1625561%22%20slang%3D%22fr-FR%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1625561%22%20slang%3D%22fr-FR%22%3E%3CP%3EHi%2C%20thanks%20for%20this%20new%20feature.%3C%2FP%3E%3CP%3EIt%20doesn't%20work%20for%20me%2C%20i%20activated%20this%20feature%20in%20Azure%20AD%20policy%20as%20describe%20in%20the%20documentation.%3C%2FP%3E%3CP%3EThe%20user%20proxy%20address%20attribute%20is%20well%20replicated%20from%20AD%20on-prem%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20it%20doesn't%20work%20when%20i%20try%20to%20connect%20to%20%3CA%20href%3D%22https%3A%2F%2Fmyprofile.microsoft.com%2F%2C%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyprofile.microsoft.com%2F%2C%3C%2FA%3E%20my%20email%20address%20isn't%20recognized...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20idea%3F%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1626611%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1626611%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F778350%22%20target%3D%22_blank%22%3E%40dmontewis%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CEM%3EIt%20doesn't%20work%20for%20me%2C%20i%20activated%20this%20feature%20in%20Azure%20AD%20policy%20as%20describe%20in%20the%20documentation.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EPlease%20allow%20a%20couple%20of%20hours%20for%20the%20policy%20to%20be%20effective%20and%20re-attempt.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1627155%22%20slang%3D%22fr-FR%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1627155%22%20slang%3D%22fr-FR%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20advice%20but%20the%20policy%20was%20activated%20several%20weeks%20ago.%3C%2FP%3E%3CP%3ELooks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636753%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636753%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F778350%22%20target%3D%22_blank%22%3E%40dmontewis%3C%2FA%3E%26nbsp%3B-%20from%20our%20follow%20up%20discussion%20we%20identified%20that%20%22%3CSPAN%20class%3D%22hljs-parameter%22%3E-IsOrganizationDefault%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-literal%22%3E%24true%22%20was%20not%20set.%20This%20is%20a%20requirement%20for%20the%20HRD%20policy%20to%20take%20effect.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1645154%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1645154%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E%26nbsp%3B-%20Are%20there%20any%20planned%20requirements%20for%20licensing%20this%20feature%20under%20Azure%20AD%20Premium%20or%20is%20this%20going%20to%20be%20a%20feature%20available%20for%20free%20with%20the%20standard%20Azure%20AD%20license%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20can%20we%20disable%20the%20feature%20on%20specific%20custom%20SMTP%20domains%20that%20we%20won't%20want%20the%20users%20logging%20in%20with%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646131%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646131%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F230539%22%20target%3D%22_blank%22%3E%40Jonathan%20Works%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3E%3CSTRONG%3EAre%20there%20any%20planned%20requirements%20for%20licensing%20this%20feature%20under%20Azure%20AD%20Premium%20or%20is%20this%20going%20to%20be%20a%20feature%20available%20for%20free%20with%20the%20standard%20Azure%20AD%20license%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%3ENo%20licensing%20requirement%20is%20currently%20planned.%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAlso%2C%20can%20we%20disable%20the%20feature%20on%20specific%20custom%20SMTP%20domains%20that%20we%20won't%20want%20the%20users%20logging%20in%20with%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%3ECurrently%2C%20you%20can%20not%20disable%20per%20SMTP.%20We%20are%20working%20on%20the%20ability%20to%20roll%20this%20feature%20out%20to%20specific%20groups.%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1653724%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1653724%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20alternate%20login%20configured%20with%20ADFS%20today%20through%20domain%20federation.%26nbsp%3B%20If%20we%20were%20to%20turn%20on%20this%20option%2C%20would%20you%20expect%20that%20users%20would%20still%20be%20redirected%20to%20ADFS%20until%20the%20federation%20setting%20is%20changed%20for%20that%20domain%20or%20will%20this%20configuration%20override%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1655323%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1655323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F789146%22%20target%3D%22_blank%22%3E%40JeffL175%3C%2FA%3E%26nbsp%3BThis%20feature%20only%26nbsp%3Bworks%20for%20managed%20domains%20and%20does%20not%20interfere%20with%20your%20federation%20settings.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1832930%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1832930%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20ideas%2Fplans%20yet%20on%20when%20this%20might%20come%20out%20of%20preview%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EBen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833069%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833069%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organization%20has%20been%20using%20this%20feature%20since%20my%20last%20post%20in%20September%20without%20issue.%26nbsp%3B%20We've%20been%20able%20to%20decommission%20our%20ADFS%20as%20a%20result%2C%20one%20less%20entry%20point.%26nbsp%3B%20I%20will%20say%20when%20we%20first%20turned%20it%20on%2C%20the%20feature%20was%20not%20overriding%20our%20federation%20settings%20to%20ADFS.%26nbsp%3B%20A%26nbsp%3B%20week%20or%20so%20later%20when%20we%20were%20about%20to%20turn%20it%20on%20for%20all%20domains%2C%20we%20realized%20that%20our%20ADFS%20had%20been%20getting%20zero%20logins%20for%20a%20few%20days.%26nbsp%3B%20This%20suggested%20to%20us%20the%20behavior%20did%20change%20and%20we%20unknowingly%20had%20put%20our%20entire%20org%20into%20scope%20without%20a%20single%20support%20call%20(~3500%20users)%20so%20we%20completed%20the%20config%20for%20all%20domains%20and%20haven't%20looked%20back%20since.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833195%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833195%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20have%20been%20testing%20Cloud%20Azure%20MFA%20with%20on%20premise%202019%20ADFS%20server%20using%20AlternateID%26nbsp%3B%20mail%2C%20it%20works%20if%20we%20want%20to%20use%20Azure%20MFA%20as%20primary%20login%2C%20but%20fails%20Additional%26nbsp%3BCloud%20Azure%20MFA%20as%20secondary.%26nbsp%3B%20%26nbsp%3BOnce%20we%20removed%20the%20alternateid%20it%20works.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1835022%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1835022%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F519%22%20target%3D%22_blank%22%3E%40Ben%20Stegink%3C%2FA%3E%26nbsp%3BWe%20don't%20have%20an%20ETA%20yet%20but%20we%20are%20planning%20for%20this%20feature's%20GA%20release.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F850467%22%20target%3D%22_blank%22%3E%40nj28sharp%3C%2FA%3E%26nbsp%3BThis%20feature%20only%20works%20with%20Azure%20AD%20authentication.%20For%20federated%20domain%20users%2C%20Home%20Realm%20Discovery%20will%20not%20perform%20email%20lookup%20and%20instead%20redirect%20users%20to%20authenticate%20with%20their%20federation.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 03 2020 01:47 PM
Updated by: