Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Hybrid Azure AD Join with Alternate Login ID (PHS)

Brass Contributor

Hello,

Could somebody clarify whether Hybrid Azure AD Join is supported when using Alternate Login ID? In this scenario I'm using the Mail attribute to sync/represent the UPN in Azure AD.

 

The following article says that the AD on premises UPN needs to be internet routable (and verified in Azure AD) to be supported with HAADJ. However, it makes no reference to using Alternate Login ID in this article - https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-p...

 

I have ran some initial tests in a lab/test scenario which showed HAADJ registration and access to modern apps functioning in the sign-in logs; however functioning does not mean supported. The scenario of my lab/test:

 

  • AD on prem forest is ad.contoso.com
  • Mail domain is contoso.com
  • AAD Connect configured to sync Mail to UPN in Azure with PHS
  • User set with AD on prem UPN john.smith@ad.contoso.com (domain not verified in tenant) and Mail attribute john.smith@contoso.com (domain verified in tenant)

 

I'm really looking for some clarification on support for this, can anybody assist?

 

As a side note, using UPN as the Login ID in Azure AD is my preference, but multiple LOB apps means significant delays and/or other changes required.

 

Ben

6 Replies

@ChristianBergstrom no.

As I understand there are 3 types of Alternate Login ID....

 

  1. Alternate Login ID (Preview) - as you mentioned
  2. Alternate Login ID with PTA/PHS via AAD Connect login attribute - where you select a different on premises attribute to sync and populate as the UPN in Azure AD (typically Mail)
  3. Alternate Login ID with Federated Identity - like above but you configure your federated endpoint to support login with alt log ID claim

I'm looking at option 2.

Ok. Using Azure AD Connect to achieve this requires to set the email address as the UPN in Azure AD. With the preview you can use the same UPN across on-premises AD and Azure AD to achieve compatibility across the services, while still allowing your users to sign in either with UPN or email. But you don’t want to use the preview?
That would not resolve the issue in my scenario. The on premises UPN is not-routable e.g. @contoso.local . As a result, the preview wouldn't provide a solution.

As I understand, this preview is helpful where the UPN is internet routable, but not eh not same domain suffix as the mail attribute?
Spoiler
 

@Ben Owens 

I managed to get clarification for from Microsoft via the Technical Advisor on GitHub.
https://github.com/MicrosoftDocs/azure-docs/pull/49710#issuecomment-744067855

 

The reason I thought this would be supported by Microsoft is that in my lab, a user with a UPN of john.smith@ad.contoso.com achieved Hybrid Azure AD Join status when accessing M365 via Modern Apps or Browser access.  This is when the UPN suffix is not verified in the tenant.

On closer investigation I found this worked because my AD forest domain was a forest suffix of ad.contoso.com which is a sub domain of contoso.com.  When I ran a home realm discovery using the sun domain, it returns the details of the correct realm.

E.g.

https://login.microsoftonline.com/common/UserRealm/?user=ad.contoso.com&api-version=1.0&checkForMicrosoftAccount=false&fallback_domain=madeupdomainthatdoesntexist.com

 

So in conclusion, if your users on premises UPN suffix is a sub domain of a verified domain in your tenant, (but not verified in Azure AD) I found HAADJ will work.  If you have a .local UPN suffix, you will need to amend the users UPN to work with HAADJ.

 

Great, thanks for the update. Actually read the following just now when doing some searches.

”There are other features in Azure AD that are not compatible with non routable UPNs. One major is Azure AD Hybrid Join”