In the past, the need for Alternate Login ID would require you to have Active Directory Federation Services installed and configured accordingly. However, recently Microsoft released this feature in Azure Active Directory in Public Preview. This, as always means that it is not supported to use the feature in a production environment except for testing purposes.
Alternate Login ID for dummies:
Microsoft always recommends to keep UserPrincipalName and Primary SMTP Address the same value. However in some circumstances this is not feasible e.g using Smart Card to perform AuthN which uses a certificate with your UserPrincipalName on it. Changing the UPN to your SMTP Address would in this case require you to revoke all certificates that are issued and re-issue all certificates with the correct value + updating ALL smartcards with their new certificate. This procedure would also come into play whenever an employee marries and changes his/her lastname.
Alternate Login ID allows you to match the UPN with the users SMTP Address thus allowing users to sign-in to Azure Active Directory with their SMTP Address rather than their UPN.
To configure Alternate Login ID with ADFS you need to follow these instructions:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id
How to configure Alternate Login ID in Azure Active Directory:
- Open an PowerShell session as an administrator, then install the AzureADPreview module using the Install-Module cmdlet:
Install-Module AzureADPreview
If you already have the AzureADPreview module installed, you do not need to perform this a second time. However, to update the module you would need to uninstall and reinstall the module to get the latest version.
2. Sign in to your Azure AD tenant as a tenant administrator using the Connect-AzureAD cmdlet:
Connect-AzureAD
3. Check if the HomeRealmDiscoveryPolicy policy already exists in your tenant using the Get-AzureADPolicy cmdlet as follows:
Get-AzureADPolicy | where-object {$_.Type -eq "HomeRealmDiscoveryPolicy"} | fl *
4. If there’s no policy currently configured, the command returns nothing. If a policy is returned, skip this step and move on to the next step to update an existing policy.
To add the HomeRealmDiscoveryPolicy policy to the tenant, use the New-AzureADPolicy cmdlet and set the AlternateIdLogin attribute to “Enabled”: true:
New-AzureADPolicy -Definition @('{"HomeRealmDiscoveryPolicy" :{"AlternateIdLogin":{"Enabled": true}}}') `
-DisplayName "BasicAutoAccelerationPolicy" `
-IsOrganizationDefault $true `
-Type "HomeRealmDiscoveryPolicy"
When the policy is created, we get a confirmation of this in the Powershell window:
Id DisplayName Type IsOrganizationDefault -- ----------- ---- --------------------- 5de3afbe-4b7a-4b33-86b0-7bbe308db7f7 BasicAutoAccelerationPolicy HomeRealmDiscoveryPolicy True
5. To verify that your policy has been created correctly use the Get-AzureADPolicy cmdlet:
Get-AzureADPolicy -Id 5de3afbe-4b7a-4b33-86b0-7bbe308db7f7 | fl
Which returns the following information:
Id : 5de3afbe-4b7a-4b33-86b0-7bbe308db7f7
OdataType :
AlternativeIdentifier :
Definition : {{"HomeRealmDiscoveryPolicy" :{"AlternateIdLogin":{"Enabled": true}}}}
DisplayName : BasicAutoAccelerationPolicy
IsOrganizationDefault : True
KeyCredentials : {}
Type : HomeRealmDiscoveryPolicy
Now, we´ve created an Alternate Login ID policy for our Azure Active Directory.
To test this feature, simply try to sign-in via https://myprofile.microsoft.com using your SMTP Address instead. This should look and feel like an UPN sign-in.
That´s it!
In these times, I ask you to keep your distance and protect each other!
/Viktor
