Dec 13 2020
12:07 PM
- last edited on
Jan 14 2022
04:26 PM
by
TechCommunityAP
Dec 13 2020
12:07 PM
- last edited on
Jan 14 2022
04:26 PM
by
TechCommunityAP
Hello,
Could somebody clarify whether Hybrid Azure AD Join is supported when using Alternate Login ID? In this scenario I'm using the Mail attribute to sync/represent the UPN in Azure AD.
The following article says that the AD on premises UPN needs to be internet routable (and verified in Azure AD) to be supported with HAADJ. However, it makes no reference to using Alternate Login ID in this article - https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-p...
I have ran some initial tests in a lab/test scenario which showed HAADJ registration and access to modern apps functioning in the sign-in logs; however functioning does not mean supported. The scenario of my lab/test:
I'm really looking for some clarification on support for this, can anybody assist?
As a side note, using UPN as the Login ID in Azure AD is my preference, but multiple LOB apps means significant delays and/or other changes required.
Ben
Dec 14 2020 03:58 AM
Dec 14 2020 06:33 AM
@ChristianBergstrom no.
As I understand there are 3 types of Alternate Login ID....
I'm looking at option 2.
Dec 14 2020 07:24 AM
Dec 14 2020 09:01 AM
Dec 14 2020 09:06 AM
@Ben Owens
I managed to get clarification for from Microsoft via the Technical Advisor on GitHub.
https://github.com/MicrosoftDocs/azure-docs/pull/49710#issuecomment-744067855
The reason I thought this would be supported by Microsoft is that in my lab, a user with a UPN of john.smith@ad.contoso.com achieved Hybrid Azure AD Join status when accessing M365 via Modern Apps or Browser access. This is when the UPN suffix is not verified in the tenant.
On closer investigation I found this worked because my AD forest domain was a forest suffix of ad.contoso.com which is a sub domain of contoso.com. When I ran a home realm discovery using the sun domain, it returns the details of the correct realm.
E.g.
https://login.microsoftonline.com/common/UserRealm/?user=ad.contoso.com&api-version=1.0&checkForMicrosoftAccount=false&fallback_domain=madeupdomainthatdoesntexist.com
So in conclusion, if your users on premises UPN suffix is a sub domain of a verified domain in your tenant, (but not verified in Azure AD) I found HAADJ will work. If you have a .local UPN suffix, you will need to amend the users UPN to work with HAADJ.
Dec 14 2020 09:21 AM