%3CLINGO-SUB%20id%3D%22lingo-sub-1519501%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1519501%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15847%22%20target%3D%22_blank%22%3E%40Alex%3C%2FA%3E%3C%2FP%3E%3CP%3ECool!!!%20much%20awaited%20feature...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20f%20I%20use%20UPN%20to%20sync%20my%20users%20but%20their%20SMTP%20is%20different%2C%20still%20my%20users%20can%20login%20to%20azure%2Foffice%20365%20with%20their%20SMTP%20email%20id%2C%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20I%20must%20sync%20my%20email%20domain%20to%20accomplish%20this%20or%20just%20verify%20the%20domain%20in%20office%20365%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520134%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520134%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20news!%20It's%20always%20good%20to%20make%20user's%20lives%20easier%20and%20simplified!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520153%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520153%22%20slang%3D%22en-US%22%3E%3CP%3EAgreed%20much%20awaited%20feature.%20Thanks%20for%20making%20it%20happen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520636%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520636%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Alex%2C%20does%20this%20function%20work%20when%20logging%20in%20O365%20connected%20workstations%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520802%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520802%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20nice%20feature%2C%20but%20in%20our%20azuread%20%2C%20our%20primary%20email%20addresses%20on%20users%20are%20very%20long%20and%20are%20generated%20based%20on%20user%20full%20names%20for%20users%20its%20more%20convenient%20to%20login%20with%20UPN%20which%20is%20based%20on%20users'%20usernames.%20It%20would%20be%20cool%20if%20all%20Microsoft%20login%20screen%20text%20should%20say%20%22username%22%20not%20an%20email%20address%20to%20log%20in%2C%20which%20would%20help%20users%20following%20company's%20internal%20username%20policy%26nbsp%3B%20(email%20or%20UPN)%20to%20login%20to%20the%20cloud%20services.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520893%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520893%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20releasing%20this%20AAD%20Team!%20It%20is%20huge%20for%20companies%20that%20do%20not%20have%20matching%20UPNs%20and%20email%20addresses.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520924%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520924%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15847%22%20target%3D%22_blank%22%3E%40Alex%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20great%20news%20and%20will%20benefit%20many%20of%20us.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20implemented%20this%20in%20a%20non-production%20environment%20yesterday%2C%20on%20the%20whole%20it%20went%20well.%20However%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20was%20also%20a%20delay%20of%20upwards%2020%20minutes%20from%20creating%20the%20policy%20to%20seeing%20the%20change%20in%20behaviour.%20If%20this%20is%20expected%20then%20it%20would%20be%20helpful%20if%20the%20documentation%20reflected%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521139%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521139%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20need%20this%20as%20we%20are%20doing%20a%20domain%20migration%20but%20are%20affected%20by%20duplicate%20UPNs%20in%20both%20domains%20which%20blocks%20domain%20trust%20routing.%26nbsp%3B%20This%20feature%20will%20allow%20us%20to%20change%20the%20UPN%20in%20one%20domain%20and%20then%20use%20email%20to%20log%20into%20Azure%2FOffice365.%26nbsp%3B%20when%20will%20this%20be%20GA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521590%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521590%22%20slang%3D%22en-US%22%3E%3CP%3EKeeping%20the%20sign-on%20ID%20separate%20from%20the%20email%20address%20is%20better%20from%20a%20security%20perspective%20IMO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20organization%20is%20frequently%20the%20target%20of%20password%20guessing%20attacks%2C%20with%20email%20addresses%20used%20for%20the%20login%20name.%20%26nbsp%3BKeeping%20the%20%22private%22%20sign-in%20ID%20separate%20from%20your%20%22public%22%20email%20address%20adds%20another%20layer%20of%20protection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521730%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521730%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%26nbsp%3B%2C%20we've%20implemented%20this%20new%20policy%20as%20per%20the%20instructions%20and%20we%20have%20checked%20the%20three%20boxes%20for%20troubleshooting%2C%20but%20still%20not%20operating.%20Since%20this%20is%20public%20preview%2C%20is%20there%20someone%20we%20can%20talk%20to%20for%20troubleshooting%20or%20discussing%20further%3F%20Or%20should%20we%20attempt%20to%20open%20a%20ticket%20on%20this%2C%20or%20just%20wait%20and%20try%20again%20later%3F%26nbsp%3B%20After%20typing%20the%20new%20identifier%20(alternate%20ID%2Fproxy%20address)%20in%20the%20AAD%20username%20field%2C%20it%20responds%20with%20%22This%20username%20may%20be%20incorrect.%20Make%20sure%20you%20typed%20it%20correctly.%20Otherwise%2C%20contact%20your%20admin.%22%20This%20is%20with%20an%20alternate%20email%20address%20suffix%20that%20is%20a%20verified%20domain%20in%20our%20AAD%20tenant%20setup%2C%20so%20I%20believe%20we%20have%20everything%20we%20needed%20for%20this.%20Would%20there%20be%20a%20delay%20of%20any%20kind%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVery%20excited%20about%20this%20new%20feature%2C%20many%20thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521763%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521763%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20my%20post%20above%2C%20it%20is%20now%20working%2C%20so%20it%20looks%20like%20there%20was%20just%20some%20delay%20in%20implementation%20(30-35%20minutes)%20for%20future%20adventurers%20that%20might%20be%20looking%20through%20these%20threads%20for%20input.%20%3A)%3C%2Fimg%3E%20It%20was%20a%20super%20simple%20change%2C%20just%20took%20a%20small%20amount%20of%20time%20(would%20recommend%20to%20update%20documentation%20-%20I'll%20comment%20on%20that%20article%20as%20well).%26nbsp%3B%20Thanks%20again%2C%20such%20a%20great%20feature!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522870%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522870%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728378%22%20target%3D%22_blank%22%3E%40nateweso%3C%2FA%3E%2C%20using%20email%20addresses%20as%20login%20names%20has%20always%20been%20a%20stupid%20idea%20and%20a%20big%20security%20hole.%20Now%20malicious%20attacks%20need%20simply%20to%20use%20easily%20accessible%20or%20leaked%20email%20addresses%20to%20spray%20attack%20looking%20for%20vulnerable%20accounts.%20Way%20to%20go%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522321%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40291%22%20target%3D%22_blank%22%3E%40Abdul%20Farooque%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CEM%3ESo%20If%20I%20use%20UPN%20to%20sync%20my%20users%20but%20their%20SMTP%20is%20different%2C%20still%20my%20users%20can%20login%20to%20azure%2Foffice%20365%20with%20their%20SMTP%20email%20id%2C%20right%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EYes%2C%20users%20will%20have%20the%20option%20to%20use%20UPN%20or%20SMTP%20Proxy%20Address.%20Which%20ever%20is%20easiest%20for%20the%20user.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EDo%20I%20must%20sync%20my%20email%20domain%20to%20accomplish%20this%20or%20just%20verify%20the%20domain%20in%20office%20365%20%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EYou%20would%20need%20to%20verify%20the%20domain%20in%20Azure%20AD%20for%20the%20Proxy%20address%20to%20by%20synced%20to%20the%20user%20object.%3C%2FP%3E%0A%3CP%3ETo%20get%20a%20full%20list%20of%20requirements%20and%20limitations%20review%20our%20docs%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-use-email-signin%23synchronize-sign-in-email-addresses-to-azure-ad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-use-email-signin%23synchronize-sign-in-email-addresses-to-azure-ad%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572685%22%20target%3D%22_blank%22%3E%40patrick410%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3Edoes%20this%20function%20work%20when%20logging%20in%20O365%20connected%20workstations%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EI%20will%20provide%20an%20update%20on%20this%20question.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F706120%22%20target%3D%22_blank%22%3E%40belaie%3C%2FA%3E%26nbsp%3B%3CEM%3E%26nbsp%3B-%20It%20would%20be%20cool%20if%20all%20Microsoft%20login%20screen%20text%20should%20say%20%22username%22%20not%20an%20email%20address%20to%20log%20in%2C%20which%20would%20help%20users%20following%20company's%20internal%20username%20policy%26nbsp%3B%20(email%20or%20UPN)%20to%20login%20to%20the%20cloud%20services.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20great%20suggestions%20for%20us%20to%20consider%2C%20would%20love%20for%20you%20to%20add%20this%20suggestion%20to%20our%20user%20voice%20%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F727991%22%20target%3D%22_blank%22%3E%40hobbycat%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CEM%3EHowever%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EI%20will%20provide%20an%20update%20on%20this%20question.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EThere%20was%20also%20a%20delay%20of%20upwards%2020%20minutes%20from%20creating%20the%20policy%20to%20seeing%20the%20change%20in%20behaviour.%20If%20this%20is%20expected%20then%20it%20would%20be%20helpful%20if%20the%20documentation%20reflected%20this.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EYes%2C%20this%20is%20expected%20to%20take%20up%20to%201%20hour%20to%20see%20expected%20behavior.%20We%20will%20update%20our%20documentation%20to%20include%20this%20note.%20thank%20you%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728228%22%20target%3D%22_blank%22%3E%40pmahlmann%3C%2FA%3E%26nbsp%3B%20-%20%3CEM%3EThis%20feature%20will%20allow%20us%20to%20change%20the%20UPN%20in%20one%20domain%20and%20then%20use%20email%20to%20log%20into%20Azure%2FOffice365.%26nbsp%3B%20when%20will%20this%20be%20GA.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EWe%20are%20looking%20to%20get%20a%20much%20customer%20feedback%20during%20preview%20before%20going%20GA.%20We%20do%20not%20have%20a%20target%20date%20currently.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5180%22%20target%3D%22_blank%22%3E%40Chris%20Smith%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EIt%20was%20a%20super%20simple%20change%2C%20just%20took%20a%20small%20amount%20of%20time%20(would%20recommend%20to%20update%20documentation%20-%20I'll%20comment%20on%20that%20article%20as%20well).%26nbsp%3B%20Thanks%20again%2C%20such%20a%20great%20feature!%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20the%20feedback%2C%20will%20be%20adding%20this%20to%20our%20documentation.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJoey%20Cruz%20-%20Program%20Manager%20-%20Identity%20Engineering%20Team%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1544308%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1544308%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20the%20new%20change%20will%20affect%20MFA%20registered%20for%20a%20user%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554194%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554194%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15060%22%20target%3D%22_blank%22%3E%40Alexey%20Goncharov%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EHow%20the%20new%20change%20will%20affect%20MFA%20registered%20for%20a%20user%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20will%20not%20affect%20MFA%20registration%2C%20users%20will%20be%20able%20to%20go%20through%20the%20same%20registration%20flow.%20Once%20the%20users%20signs-in%2C%20the%20user%20will%20see%20their%20UPN%20in%20the%20registration%20flow%20and%20in%20the%20Authenticator%20App%20(if%20registered).%20We%20will%20make%20note%20in%20the%20documentation%20to%20include%20a%20note.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554274%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554274%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20update%20on%20the%20behaviour%20described%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F727991%22%20target%3D%22_blank%22%3E%40hobbycat%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%26nbsp%3B%3CEM%3EHowever%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FEM%3E%3C%2FP%3E%3CP%3EI%20will%20provide%20an%20update%20on%20this%20question.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20faced%20the%20same%20issue.%20EMail%20address%20takes%20precedence%20over%20UPN.%20Is%20this%20expected%3F%20Can%20that%20be%20changed%3F%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22lia-message-author-rank%20lia-component-author-rank%20lia-component-message-view-widget-author-rank%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554407%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554407%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E.%20So%2C%20if%20I%20understood%20it%20correctly%2C%20the%20Authenticator%20app%20and%20FIDO2%20token%20registered%20as%202FA%20for%20a%20user%2C%20will%20%26nbsp%3Bto%20leverage%20a%20UPN%20of%20an%20account%2C%20rather%20than%20one%20of%20the%20smtp%20aliases%20used%20by%20a%20user%20for%20authentication%2C%20right%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554546%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554546%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F677871%22%20target%3D%22_blank%22%3E%40AndreasMarx%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EI%20faced%20the%20same%20issue.%20EMail%20address%20takes%20precedence%20over%20UPN.%20Is%20this%20expected%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWill%20follow%20up%20for%20clarification.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15060%22%20target%3D%22_blank%22%3E%40Alexey%20Goncharov%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3CEM%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Joey%20Cruz%3C%2FA%3E.%20So%2C%20if%20I%20understood%20it%20correctly%2C%20the%20Authenticator%20app%20and%20FIDO2%20token%20registered%20as%202FA%20for%20a%20user%2C%20will%20%26nbsp%3Bto%20leverage%20a%20UPN%20of%20an%20account%2C%20rather%20than%20one%20of%20the%20smtp%20aliases%20used%20by%20a%20user%20for%20authentication%2C%20right%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECorrect%2C%20the%20UPN%20will%20be%20used.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1257366%22%20slang%3D%22en-US%22%3EEnable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257366%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EToday%20we%E2%80%99re%20announcing%20the%20public%20preview%20of%20the%20ability%20to%20sign-in%20to%20Azure%20AD%20with%20email%20in%20addition%20to%20UPN%20(UserPrincipalName).%20%3C%2FSPAN%3EIn%20organizations%20where%20email%20and%20UPN%20are%20not%20the%20same%2C%20it%20can%20be%20confusing%20for%20users%20when%20they%20can't%20use%20their%20familiar%20email%20address%20to%20sign-in.%3CSPAN%3E%20With%20this%20preview%20capability%2C%20you%20can%20enable%20your%20users%20to%20sign%20in%20with%20either%20their%20UPN%20or%20their%20email%20address%2C%20helping%20them%20avoid%20this%20confusion.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20feature%20can%20be%20enabled%20by%20setting%20the%20AlternateIdLogin%20attribute%20in%20the%20HomeRealmDiscoveryPolicy.%20Please%20use%20the%20instructions%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-use-email-signin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%20to%20set%20this%20up%20in%20your%20organization.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ESome%20customers%20are%20using%20capabilities%20in%20Azure%20Active%20Directory%20(Azure%20AD)%20Connect%20to%20achieve%20this%20today%2C%20but%20that%20requires%20them%20to%20set%20the%20email%20address%20as%20the%20UPN%20in%20Azure%20AD.%20With%20this%20preview%20capability%2C%20you%20can%20now%20use%20the%20same%20UPN%20across%20on-premises%20Active%20Directory%20and%20Azure%20AD%20to%20achieve%20the%20best%20compatibility%20across%20Office%20365%20and%20other%20workloads%2C%20while%20still%20allowing%20your%20users%20to%20sign%20in%20with%20either%20their%20UPN%20or%20email%2C%20further%20simplifying%20their%20experience.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20hope%20this%20change%20simplifies%20the%20sign-in%20experience%20for%20your%20end%20users.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20may%20have.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3EAzure%20AD%20feedback%20forum%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EStay%20safe%20and%20be%20well%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(-ERR%3AREF-NOT-FOUND-%40Alex_A_Simons)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22M365CO19_ENT_surfacePro6_1535_ID.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F205055i07E3F7C16683CD1B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22M365CO19_ENT_surfacePro6_1535_ID.jpg%22%20alt%3D%22M365CO19_ENT_surfacePro6_1535_ID.jpg%22%20%2F%3E%3C%2FSPAN%3EYour%20journey%20to%20cloud%20authentication%20is%20now%20even%20easier.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257366%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1568829%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1568829%22%20slang%3D%22en-US%22%3E%3CP%3Enice%2C%20thanks%20MS.%3C%2FP%3E%3CP%3ERegarding%20the%20security%20part%2C%20I%20think%20its%20pretty%20easy%20to%20spray%20and%20guess%20internal%20usernames%20of%20a%20company%20from%20attacker's%20perspective.%20The%20benefits%20probably%20out%20weight%20the%20cons%20for%20an%20org.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1579270%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F727991%22%20target%3D%22_blank%22%3E%40hobbycat%3C%2FA%3E%3CSPAN%3E%26nbsp%3B-%26nbsp%3B%3C%2FSPAN%3E%3CEM%3EHowever%2C%20it%20uncovered%20something%20that%20I%20would%20like%20clarity%20on%2C%20if%20there%20is%20contention%20between%20a%20UPN%20(cloud%20only%20account)%20and%20a%20proxy%2Femail%20address%20on%20a%20sync'd%20account%20for%20example%20-%20which%20will%20take%20precedence%3F%20This%20is%20not%20a%20situation%20that%20I%20was%20expecting%20to%20encounter%20but%20it%20existed.%20From%20some%20the%20limited%20testing%2C%20it%20appears%20the%20account%20with%20email%20address%20wins%2C%20whereas%20I%20would%20have%20expected%20the%20UPN%20to%20take%20precedence.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%40AndreasMarx%26nbsp%3B%20-%26nbsp%3B%3CEM%3EI%20faced%20the%20same%20issue.%20EMail%20address%20takes%20precedence%20over%20UPN.%20Is%20this%20expected%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F677871%22%20target%3D%22_blank%22%3E%40AndreasMarx%3C%2FA%3E%26nbsp%3BThis%20is%20expected%20behavior.%26nbsp%3B%20Having%20duplicate%20ProxyAddress%20or%20UserPrincipalsNames%20will%20be%20surfaced%20in%20the%20Connect%20Health%20dashboard.%20We%20recommend%20reviewing%20the%20following%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-health-diagnose-sync-errors%23a-common-scenario%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-health-diagnose-sync-errors%23a-common-scenario%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592273%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592273%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20we%20get%20the%20same%20feature%20in%20ADFS%20for%20federated%20domains%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1600354%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1600354%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692076%22%20target%3D%22_blank%22%3E%40RickardD%3C%2FA%3E%26nbsp%3B%20-%3CEM%3E%26nbsp%3BCan%20we%20get%20the%20same%20feature%20in%20ADFS%20for%20federated%20domains%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EADFS%20offer%20the%20ability%20to%20use%20Alt-id%2C%20we%20recommend%20reviewing%20the%20following%20documentation%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfiguring-alternate-login-id%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfiguring-alternate-login-id%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1625561%22%20slang%3D%22fr-FR%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1625561%22%20slang%3D%22fr-FR%22%3E%3CP%3EHi%2C%20thanks%20for%20this%20new%20feature.%3C%2FP%3E%3CP%3EIt%20doesn't%20work%20for%20me%2C%20i%20activated%20this%20feature%20in%20Azure%20AD%20policy%20as%20describe%20in%20the%20documentation.%3C%2FP%3E%3CP%3EThe%20user%20proxy%20address%20attribute%20is%20well%20replicated%20from%20AD%20on-prem%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20it%20doesn't%20work%20when%20i%20try%20to%20connect%20to%20%3CA%20href%3D%22https%3A%2F%2Fmyprofile.microsoft.com%2F%2C%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyprofile.microsoft.com%2F%2C%3C%2FA%3E%20my%20email%20address%20isn't%20recognized...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20idea%3F%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1626611%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1626611%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F778350%22%20target%3D%22_blank%22%3E%40dmontewis%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CEM%3EIt%20doesn't%20work%20for%20me%2C%20i%20activated%20this%20feature%20in%20Azure%20AD%20policy%20as%20describe%20in%20the%20documentation.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EPlease%20allow%20a%20couple%20of%20hours%20for%20the%20policy%20to%20be%20effective%20and%20re-attempt.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1627155%22%20slang%3D%22fr-FR%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1627155%22%20slang%3D%22fr-FR%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20advice%20but%20the%20policy%20was%20activated%20several%20weeks%20ago.%3C%2FP%3E%3CP%3ELooks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636753%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636753%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F778350%22%20target%3D%22_blank%22%3E%40dmontewis%3C%2FA%3E%26nbsp%3B-%20from%20our%20follow%20up%20discussion%20we%20identified%20that%20%22%3CSPAN%20class%3D%22hljs-parameter%22%3E-IsOrganizationDefault%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-literal%22%3E%24true%22%20was%20not%20set.%20This%20is%20a%20requirement%20for%20the%20HRD%20policy%20to%20take%20effect.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1645154%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1645154%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191489%22%20target%3D%22_blank%22%3E%40Joey%20Cruz%3C%2FA%3E%26nbsp%3B-%20Are%20there%20any%20planned%20requirements%20for%20licensing%20this%20feature%20under%20Azure%20AD%20Premium%20or%20is%20this%20going%20to%20be%20a%20feature%20available%20for%20free%20with%20the%20standard%20Azure%20AD%20license%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20can%20we%20disable%20the%20feature%20on%20specific%20custom%20SMTP%20domains%20that%20we%20won't%20want%20the%20users%20logging%20in%20with%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1646131%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1646131%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F230539%22%20target%3D%22_blank%22%3E%40Jonathan%20Works%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3E%3CSTRONG%3EAre%20there%20any%20planned%20requirements%20for%20licensing%20this%20feature%20under%20Azure%20AD%20Premium%20or%20is%20this%20going%20to%20be%20a%20feature%20available%20for%20free%20with%20the%20standard%20Azure%20AD%20license%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%3ENo%20licensing%20requirement%20is%20currently%20planned.%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAlso%2C%20can%20we%20disable%20the%20feature%20on%20specific%20custom%20SMTP%20domains%20that%20we%20won't%20want%20the%20users%20logging%20in%20with%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%3ECurrently%2C%20you%20can%20not%20disable%20per%20SMTP.%20We%20are%20working%20on%20the%20ability%20to%20roll%20this%20feature%20out%20to%20specific%20groups.%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1653724%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1653724%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20alternate%20login%20configured%20with%20ADFS%20today%20through%20domain%20federation.%26nbsp%3B%20If%20we%20were%20to%20turn%20on%20this%20option%2C%20would%20you%20expect%20that%20users%20would%20still%20be%20redirected%20to%20ADFS%20until%20the%20federation%20setting%20is%20changed%20for%20that%20domain%20or%20will%20this%20configuration%20override%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1655323%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20user-friendly%20sign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1655323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F789146%22%20target%3D%22_blank%22%3E%40JeffL175%3C%2FA%3E%26nbsp%3BThis%20feature%20only%26nbsp%3Bworks%20for%20managed%20domains%20and%20does%20not%20interfere%20with%20your%20federation%20settings.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

 

Today we’re announcing the public preview of the ability to sign-in to Azure AD with email in addition to UPN (UserPrincipalName). In organizations where email and UPN are not the same, it can be confusing for users when they can't use their familiar email address to sign-in. With this preview capability, you can enable your users to sign in with either their UPN or their email address, helping them avoid this confusion.

 

This feature can be enabled by setting the AlternateIdLogin attribute in the HomeRealmDiscoveryPolicy. Please use the instructions in our documentation to set this up in your organization.

 

Some customers are using capabilities in Azure Active Directory (Azure AD) Connect to achieve this today, but that requires them to set the email address as the UPN in Azure AD. With this preview capability, you can now use the same UPN across on-premises Active Directory and Azure AD to achieve the best compatibility across Office 365 and other workloads, while still allowing your users to sign in with either their UPN or email, further simplifying their experience.

 

We hope this change simplifies the sign-in experience for your end users.

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum. 


Stay safe and be well,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

30 Comments
Contributor

@Alex

Cool!!! much awaited feature...

 

So I f I use UPN to sync my users but their SMTP is different, still my users can login to azure/office 365 with their SMTP email id, right?

 

Do I must sync my email domain to accomplish this or just verify the domain in office 365 ?

New Contributor

Great news! It's always good to make user's lives easier and simplified! 

Occasional Visitor

Agreed much awaited feature. Thanks for making it happen

Regular Visitor

Hello Alex, does this function work when logging in O365 connected workstations?

Regular Visitor

This is nice feature, but in our azuread , our primary email addresses on users are very long and are generated based on user full names for users its more convenient to login with UPN which is based on users' usernames. It would be cool if all Microsoft login screen text should say "username" not an email address to log in, which would help users following company's internal username policy  (email or UPN) to login to the cloud services.

Senior Member

Thanks for releasing this AAD Team! It is huge for companies that do not have matching UPNs and email addresses.

Occasional Visitor

@Alex

 

This is great news and will benefit many of us.

 

I implemented this in a non-production environment yesterday, on the whole it went well. However, it uncovered something that I would like clarity on, if there is contention between a UPN (cloud only account) and a proxy/email address on a sync'd account for example - which will take precedence? This is not a situation that I was expecting to encounter but it existed. From some the limited testing, it appears the account with email address wins, whereas I would have expected the UPN to take precedence.

 

There was also a delay of upwards 20 minutes from creating the policy to seeing the change in behaviour. If this is expected then it would be helpful if the documentation reflected this.

Occasional Visitor

we need this as we are doing a domain migration but are affected by duplicate UPNs in both domains which blocks domain trust routing.  This feature will allow us to change the UPN in one domain and then use email to log into Azure/Office365.  when will this be GA.

 

Occasional Visitor

Keeping the sign-on ID separate from the email address is better from a security perspective IMO.

 

My organization is frequently the target of password guessing attacks, with email addresses used for the login name.  Keeping the "private" sign-in ID separate from your "public" email address adds another layer of protection.

Frequent Contributor

Good morning @Alex Simons (AZURE) , we've implemented this new policy as per the instructions and we have checked the three boxes for troubleshooting, but still not operating. Since this is public preview, is there someone we can talk to for troubleshooting or discussing further? Or should we attempt to open a ticket on this, or just wait and try again later?  After typing the new identifier (alternate ID/proxy address) in the AAD username field, it responds with "This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin." This is with an alternate email address suffix that is a verified domain in our AAD tenant setup, so I believe we have everything we needed for this. Would there be a delay of any kind? 

 

Very excited about this new feature, many thanks!

 

Frequent Contributor

After my post above, it is now working, so it looks like there was just some delay in implementation (30-35 minutes) for future adventurers that might be looking through these threads for input. :) It was a super simple change, just took a small amount of time (would recommend to update documentation - I'll comment on that article as well).  Thanks again, such a great feature!

Microsoft

@Abdul Farooque - So If I use UPN to sync my users but their SMTP is different, still my users can login to azure/office 365 with their SMTP email id, right?

Yes, users will have the option to use UPN or SMTP Proxy Address. Which ever is easiest for the user.   

 

Do I must sync my email domain to accomplish this or just verify the domain in office 365 ?

You would need to verify the domain in Azure AD for the Proxy address to by synced to the user object.

To get a full list of requirements and limitations review our docs here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-emai... 

 

@patrick410  - does this function work when logging in O365 connected workstations?

I will provide an update on this question. 

 

@belaie  - It would be cool if all Microsoft login screen text should say "username" not an email address to log in, which would help users following company's internal username policy  (email or UPN) to login to the cloud services.

This is a great suggestions for us to consider, would love for you to add this suggestion to our user voice :

https://feedback.azure.com/forums/169401-azure-active-directory

 

@hobbycat - However, it uncovered something that I would like clarity on, if there is contention between a UPN (cloud only account) and a proxy/email address on a sync'd account for example - which will take precedence? This is not a situation that I was expecting to encounter but it existed. From some the limited testing, it appears the account with email address wins, whereas I would have expected the UPN to take precedence.

I will provide an update on this question. 

 

There was also a delay of upwards 20 minutes from creating the policy to seeing the change in behaviour. If this is expected then it would be helpful if the documentation reflected this.

Yes, this is expected to take up to 1 hour to see expected behavior. We will update our documentation to include this note. thank you 

 

@pmahlmann  - This feature will allow us to change the UPN in one domain and then use email to log into Azure/Office365.  when will this be GA.

We are looking to get a much customer feedback during preview before going GA. We do not have a target date currently.

 

@Chris Smith  - It was a super simple change, just took a small amount of time (would recommend to update documentation - I'll comment on that article as well).  Thanks again, such a great feature!

Thank you for the feedback, will be adding this to our documentation. 

 

Joey Cruz - Program Manager - Identity Engineering Team  

Occasional Visitor

I agree with @nateweso, using email addresses as login names has always been a stupid idea and a big security hole. Now malicious attacks need simply to use easily accessible or leaked email addresses to spray attack looking for vulnerable accounts. Way to go Microsoft.

Occasional Contributor

How the new change will affect MFA registered for a user?

Microsoft

@Alexey Goncharov  - How the new change will affect MFA registered for a user?

 

This will not affect MFA registration, users will be able to go through the same registration flow. Once the users signs-in, the user will see their UPN in the registration flow and in the Authenticator App (if registered). We will make note in the documentation to include a note.

Senior Member

@Joey Cruz 

Any update on the behaviour described by @hobbycat :

 

However, it uncovered something that I would like clarity on, if there is contention between a UPN (cloud only account) and a proxy/email address on a sync'd account for example - which will take precedence? This is not a situation that I was expecting to encounter but it existed. From some the limited testing, it appears the account with email address wins, whereas I would have expected the UPN to take precedence.

I will provide an update on this question. 

 

I faced the same issue. EMail address takes precedence over UPN. Is this expected? Can that be changed?

 
Occasional Contributor

Thank you @Joey Cruz. So, if I understood it correctly, the Authenticator app and FIDO2 token registered as 2FA for a user, will  to leverage a UPN of an account, rather than one of the smtp aliases used by a user for authentication, right? 

Microsoft

@AndreasMarx  - I faced the same issue. EMail address takes precedence over UPN. Is this expected? 

 

Will follow up for clarification. 

 

@Alexey Goncharov  - Thank you @Joey Cruz. So, if I understood it correctly, the Authenticator app and FIDO2 token registered as 2FA for a user, will  to leverage a UPN of an account, rather than one of the smtp aliases used by a user for authentication, right? 

 

Correct, the UPN will be used. 

Senior Member

nice, thanks MS.

Regarding the security part, I think its pretty easy to spray and guess internal usernames of a company from attacker's perspective. The benefits probably out weight the cons for an org.

Microsoft

@hobbycat - However, it uncovered something that I would like clarity on, if there is contention between a UPN (cloud only account) and a proxy/email address on a sync'd account for example - which will take precedence? This is not a situation that I was expecting to encounter but it existed. From some the limited testing, it appears the account with email address wins, whereas I would have expected the UPN to take precedence.

 

@AndreasMarx  - I faced the same issue. EMail address takes precedence over UPN. Is this expected? 

 

@AndreasMarx This is expected behavior.  Having duplicate ProxyAddress or UserPrincipalsNames will be surfaced in the Connect Health dashboard. We recommend reviewing the following documentation: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-diagnose-sync-e...

 

Occasional Visitor

Can we get the same feature in ADFS for federated domains?

Microsoft

@RickardD  - Can we get the same feature in ADFS for federated domains?

ADFS offer the ability to use Alt-id, we recommend reviewing the following documentation : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-logi...

Senior Member

Hi, thanks for this new feature.

It doesn't work for me, i activated this feature in Azure AD policy as describe in the documentation.

The user proxy address attribute is well replicated from AD on-prem to Azure AD.

 

However, it doesn't work when i try to connect to https://myprofile.microsoft.com/, my email address isn't recognized...

 

Do you have any idea ?

Thank you !

Microsoft

 @dmontewis - It doesn't work for me, i activated this feature in Azure AD policy as describe in the documentation.

Please allow a couple of hours for the policy to be effective and re-attempt. 

Senior Member

@Joey Cruz 

Thanks for the advice but the policy was activated several weeks ago..

Regards

Microsoft

@dmontewis - from our follow up discussion we identified that "-IsOrganizationDefault $true" was not set. This is a requirement for the HRD policy to take effect. 

Regular Visitor

Hi @Joey Cruz - Are there any planned requirements for licensing this feature under Azure AD Premium or is this going to be a feature available for free with the standard Azure AD license?

 

Also, can we disable the feature on specific custom SMTP domains that we won't want the users logging in with?

Microsoft

@Jonathan Works 

 

Are there any planned requirements for licensing this feature under Azure AD Premium or is this going to be a feature available for free with the standard Azure AD license?

No licensing requirement is currently planned. 

 

Also, can we disable the feature on specific custom SMTP domains that we won't want the users logging in with?

Currently, you can not disable per SMTP. We are working on the ability to roll this feature out to specific groups.
Frequent Visitor

We have alternate login configured with ADFS today through domain federation.  If we were to turn on this option, would you expect that users would still be redirected to ADFS until the federation setting is changed for that domain or will this configuration override that?

Microsoft

@JeffL175 This feature only works for managed domains and does not interfere with your federation settings.