Configure AD FS Alternate Login ID for Office 365

Introduction

Alternate login ID allows you to configure a sign-in experience where users can sign in with an attribute other than their UPN, such as mail. When you deploy Azure AD Connect tool with Office 365, by default on-premises UserPrincipalName will become the User Principal Name in Office 365 if the on-premises domain is a verified domain in Office 365. The choice for User Principal Name in Azure AD Connect defaults to the userPrincipalName attribute in Active Directory.

Sometimes you have situations where on-premises UPN cannot be the default UPN in Office 365 like the non-premises UPN uses a non-routable domain like domain.local or something that cannot be changed due to legacy application dependencies. In such scenarios, it’s recommended to set up alternate login ID.

If you choose any other attribute for UserPrincipalName and are federating using AD FS, then Azure AD Connect will configure AD FS for alternate login ID. An example of choosing a different attribute for User Principal Name is shown below:

Pros and Cons of AD FS Alternate Login ID

 

  • Configuring Azure AD Connect to use mail attribute instead of UPN have limitation as described here.
  • Modifying ADFS to use mail attribute for authentication will impact all federated domains.
  • Modification of UPN to use Mail attribute instead of UPN will impact all synced accounts as you might have different UPN and email address policy in your organization.
  • It’s recommended to enable modern authentication when using AD FS Alternate login ID.

Configure AD FS Alternate Login ID

Setting up AD FS for the first will leverage AD usernames to authenticate the users from Active directory by design. To allow the AD FS server to leverage a different attribute like “MAIL” to authenticate with AD, we need to run the following PowerShell cmdlet on primary AD FS server.

Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests MSEXPERTTALK.local