Using AlternateID without ADFS

New Contributor

Dear Experts


I have this following situation. Our company has a local AD forest. We have an Office365 tenant with couple subscriptions. Our current UPN is something like This old domain is not owned by us. Our samAccountName is localdomain\username. Users use UPN to authenticate with local AD.



We need to sync our users to Azure AD. The issue is that we will not be able to use our current UPN As we do not own that domain . We will also not be able to use the email address as the email address domain is registered with our parent company and it won't be possible to get the domain in to Azure. We also cannot change the UPN or add a new UPN prefix due to stringent policies. 




So we have purchased new domain and verified it with Office365 , say Now we want all users from our local AD to be synced to the Azure AD using the UPN In order to do this, we are thinking of populating an attribute in local AD with the value and use it as an AlternateID using AD Connect tool. Please answer my following questions.



1) Can I populate an attribute in local AD with the value of and use that attribute as alternateID?

2) What is the recommended attribute in AD that could be used to populate values and thus use as AlternateID?

2) Is it possible to use AlternateID without implementing ADFS?


Thanks in advance


3 Replies

1) Yes, that's the whole idea behind AlternateID

2) "mail" is the recommended attribute

3) Yes, Pass-trough authentication also supports AlternateID, AD FS is not a hard requirement. Password has sync also supports it.


I think you have all the elements you need in place. You can use any attribute as UPN so the configuration very easy (see my blog at


So, when configuring AAD Connect, choose the attribute containing the "new UPN" for UPN and you're done. Now your users can login to Office 365 using their and on-prem password (given that you are using the password-hash-sync).


If you also need to use the "new UPN" as an email address, easiest way is to populate that to ProxyAddresses attribute as


Thanks a lot to both of you @Vasil Michev and @Nestori Syynimaa. You guys are amazing. I am new to this portal and you made me to believe that this is indeed a helpful site. I managed to use a custom attribute ans mail or Proxyaddress could not be used. It worked like a charm.