Configure AD FS to use Email Address as Alternate Login ID – Case Study

Hello Experts,

Ahmad Yasin

Recently, i saw some requests asking how to Allow AD FS to authenticate against Email address instead of username, to understand the concept more, let’s imaging below scenario:

Customer have an AD Connect to sync objects from local Active Directory to Azure AD, usually when you deploy AD Connect using Express setting or if you use customize setting as below, AD Connect will choose the Azure AD User name to be the local userPrincipleName:

 

So let’s imagine that we have an internal user with a userPricncipleName called “Ahmad@AzureDummies.com”, and let’s see that the email address for the same user is “Ahmad.Yasin@AzureDummies.com”.

in Above scenario and with AD Connect default configuration, when the Ahmad trying to access the portal he need to enter Ahmad@AzureDummies.com instead of his email address to login, usually this may make a trouble for some users as they used to enter the email address anywhere they asked for authenticate.

To solve above issue, some IT Admins deploy AD Connect and choose the mail attribute to be Azure username instead of the userPrincipleName and that’s fine as long as no AD FS in the environment.

The problem Now, if the environment have AD FS to redirect users to authenticate against local AD instead of Azure (Office 365), assuming that AD Connect syncing the mail as the Azure username, when the user enter the mail and the redirection happens to AD FS, then AD FS will receive the mail and try to authenticate against AD,unfortunately this is will fail as it will not be able to authenticate against AD using the mail.

AD FS by default will authenticate the users based on their AD usernames, to allow AD FS to authenticate the user using his email address it require to be configured to use alternate login ID (This is based on my knowledge and not sure if there is another method to achieve it), to achieve that you need to run below command in the AD FS server:

Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests dummieslab.local

After that the user will be able to Authenticate against local AD using Ahmad.Yasin@AzureDummies.com instead of  Ahmad@AzureDummies.com.

Important Notes:

  1. For more information in how to change ADFS to use Mail instead of UPN, please read this carefully as there is some side effects and limitations: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id ; in same article you will find the command to roll back from mail to UPN. https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/
  2. Changing AD connect to use mail instead of UPN have some limitations as mention here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id
  3. Using Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests dummieslab.local will effect all federated domains in ADFS.
  4. Changing AD connect to use mail instead of UPN will effect all synced users.
Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *