[AzureAD] Incorporate PM review feedback

Author: iainfoulds

articles/active-directory/authentication/TOC.yml

@@ -138,8 +138,8 @@
       href: howto-password-ban-bad-on-premises-agent-versions.md
   - name: Use SMS-based authentication (preview)
     href: howto-authentication-sms-signin.md
-  - name: Use alternate email address sign-in (preview)
-    href: howto-authentication-use-alternate-email-signin.md
+  - name: Use email address sign-in (preview)
+    href: howto-authentication-use-email-signin.md
   - name: Azure AD smart lockout
     href: howto-password-smart-lockout.md
   - name: Certificate-based authentication

articles/active-directory/authentication/howto-authentication-use-alternate-email-signin.md renamed to articles/active-directory/authentication/howto-authentication-use-email-signin.md

@@ -1,61 +1,56 @@
 ---
-title: Alternate email user sign-in for Azure Active Directory
-description: Learn how to configure and enable users to sign in to Azure Active Directory using alternate email address (preview)
+title: Email address user sign in for Azure Active Directory
+description: Learn how to configure and enable users to sign in to Azure Active Directory using their email address (preview)
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 05/11/2020
+ms.date: 05/21/2020
 
 ms.author: iainfou
 author: iainfoulds
 manager: daveba
 ms.reviewer: scottsta
 
 ---
-# Configure user sign-in with an alternate email address in Azure Active Directory (preview)
+# Sign-in to Azure with an email address instead of the UPN (preview)
 
-Many organizations want to use hybrid authentication to allow their users to sign in directly to Azure Active Directory (Azure AD). With hybrid authentication, users have the same sign-in credentials in an on-premises environment and in the cloud. However, hybrid authentication may currently be blocked in your environment because of the following reasons:
+Many organizations want to move to hybrid authentication to allow their users to sign in directly to Azure Active Directory (Azure AD). With hybrid authentication, users have the same sign-in credentials in an on-premises environment and in the cloud. However, some organizations haven’t moved to hybrid authentication because of the following reasons:
 
-* For best compatibility, you require the user principle name (UPN) for the user to be identical in the on-premises directory and in Azure AD.
-    * Azure AD requires users to sign in with their Azure AD UPN.
-* Your users can't sign in with their UPN because they don't know, can't remember, or just don't associate with their UPN.
-    * Especially for large organizations with multiple subsidiaries or acquired companies, users may not be allowed to use an account with the parent company as part of their UPN.
+* To get the best compatibility across all workflows, you want to synchronize the Azure AD user principle name (UPN) to the same UPN value used in your on-premises directory.
+* Your organization doesn't use your on-premises UPN to sign in.
+* Azure AD requires users to sign in with their Azure AD UPN
 
-For these scenarios and more, you can now use the preview for Azure AD user sign-in with an alternate email address. With this approach, you enable your users to sign in with their well-known email address in the cloud, just like they do in your on-premises network. Users only need to know their email address, not their UPN.
+Azure now allows you to configure sign in with email or UPN values. With this approach, you enable your users to sign in with any email address set in their *ProxyAddresses*. Users only need to know their email address, not their UPN.
 
 |     |
 | --- |
-| Alternate email authentication for users is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)|
+| Sign in to Azure with your email address is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)|
 |     |
 
 ## Overview of User Principal Names (UPNs)
 
-User Principal Names (UPNs) act as a unique identifier for a user account. Each user account must be represented in a directory by this UPN, and is typically used during sign-in events.
+User Principal Names (UPNs) act as a unique identifier for a user account in both your on-premises directory, and in Azure Active Directory. Each user account in a directory is represented by a UPN.
 
-For some scenarios, the UPN isn't employee-friendly and an organization may want to enable sign in with an alternate ID. The following examples outline some of these scenarios:
+Many organizations have users sign in to Azure AD applications and services with their UPN. However, some organizations can't use the UPN for sign-in due to business policies or user experience issues.
 
-* The UPN username is constructed from elements such as initials and employee numbers.
-    * For example: `[email protected]`
+Organizations that can't use the UPN for user sign-in with Azure AD have a few options:
 
-* The UPN domain is constructed from multiple values or is otherwise awkward.
-    * For example: `[email protected]`
-
-* Your organization has multiple subsidiaries or acquired companies and users may not even know their domain or associate strongly with the parent company.
-    * For example: `[email protected]`
-
-One alternative to these scenarios is for users to sign in with their email address. With this approach, users sign in to Azure AD with their email address, and makes sure that the UPN for that user is identical in the on-premises AD DS and in Azure AD.
+* One approach is to set the Azure AD UPN to the value of the user's email. This approach lets users  sign in to Azure using their email address.
+    * Not all workflows are compatible with using a different value for the on-premises UPN and the Azure AD UPN.
+* A better approach is to ensure the cloud and on-premises UPNs are set to the same value, and configure Azure to accept the user's email as an alternate login ID.
+    * In this configuration, users can still sign in by entering their UPN, but can also sign in by entering any email defined in their *ProxyAddresses* that supports one or more emails.
 
 ## Synchronize users sign-in email to Azure AD
 
 Traditional Active Directory Domain Services (AD DS) or Active Directory Federation Services (AD FS) authentication happens directly on your network and is handled by your AD DS infrastructure. With hybrid authentication, users to sign in directly to Azure AD.
 
-You can synchronize your on-premises AD DS environment to Azure AD using [Azure AD Connect][azure-ad-connect] and configure it to use Password Hash Sync or Pass-Through Authentication. In both cases, the user submits their username and password to Azure AD, which validate the credentials and issues a ticket. This validation directly in Azure AD removes the need for your organization to host and manage an AD FS infrastructure.
+You can synchronize your on-premises AD DS environment to Azure AD using [Azure AD Connect][azure-ad-connect] and configure it to use Password Hash Sync or Pass-Through Authentication. In both cases, the user submits their username and password to Azure AD, which validates the credentials and issues a ticket. Having users sign in directly to Azure AD removes the need for your organization to host and manage an AD FS infrastructure.
 
-![Diagram of Azure AD hybrid identity with password hash synchronization](media/howto-authentication-use-alternate-email-signin/hybrid-password-hash-sync.png)
+![Diagram of Azure AD hybrid identity with password hash synchronization](media/howto-authentication-use-email-signin/hybrid-password-hash-sync.png)
 
-![Diagram of Azure AD hybrid identity with pass-through authentication](media/howto-authentication-use-alternate-email-signin/hybrid-pass-through-authentication.png)
+![Diagram of Azure AD hybrid identity with pass-through authentication](media/howto-authentication-use-email-signin/hybrid-pass-through-authentication.png)
 
 For more information, see [Choose the right authentication method for your Azure AD hybrid identity solution][hybrid-auth-methods].
 
@@ -66,11 +61,11 @@ One of the user attributes that's automatically synchronized by Azure AD Connect
 >
 > For more information, see [Add and verify a custom domain name in Azure AD][verify-domain].
 
-## Enable sign-in with alternate email
+## Enable user sign-in with an email address
 
-Once your users with the *ProxyAddresses* attribute set are synchronized to Azure AD using Azure AD Connect, you need to enable sign in with an alternate email for your tenant. This feature tells the Azure AD login servers to not only check the sign-in name against your UPN values, but also against your *ProxyAddresses* values for the alternate email address
+Once your users with the *ProxyAddresses* attribute set are synchronized to Azure AD using Azure AD Connect, you need to enable the feature for users to sign in with an email address for your tenant. This feature tells the Azure AD login servers to not only check the sign-in name against your UPN values, but also against your *ProxyAddresses* values for the email address.
 
-During preview, you can currently only enable the alternate email user sign-in feature using PowerShell. You need *tenant administrator* permissions to complete the following steps:
+During preview, you can currently only enable the email address user sign-in feature using PowerShell. You need *tenant administrator* permissions to complete the following steps:
 
 1. Open an PowerShell session as an administrator, then install the *AzureADPreview* module using the [Install-Module][Install-Module] cmdlet:
 
@@ -147,15 +142,15 @@ During preview, you can currently only enable the alternate email user sign-in f
     Get-AzureADPolicy | where-object {$_.Type -eq "HomeRealmDiscoveryPolicy"} | fl *
     ```
 
-## Test alternate email sign-in
+## Test user sign-in with email
 
-To test alternate email address sign-in works for a user, browse to [https://myprofile.microsoft.com][my-profile] and sign in with a user account based on their alternate email address, not their UPN. The sign-in experience should look and feel the same as with a UPN-based sign-in event.
+To test email address sign-in works for a user, browse to [https://myprofile.microsoft.com][my-profile] and sign in with a user account based on their email address, not their UPN. The sign-in experience should look and feel the same as with a UPN-based sign-in event.
 
 ## Troubleshoot
 
-If users have trouble with sign-in using the alternate email address, review the following troubleshooting steps:
+If users have trouble with sign-in using their email address, review the following troubleshooting steps:
 
-1. Make sure the user account has their alternate email address set for the *ProxyAddresses* attribute in the on-prem AD DS environment.
+1. Make sure the user account has their email address set for the *ProxyAddresses* attribute in the on-prem AD DS environment.
 1. Verify that Azure AD Connect is configured and successfully synchronizes user accounts frm the on-prem AD DS environment into Azure AD.
 1. Confirm that the Azure AD *HomeRealmDiscoveryPolicy* policy has the *AlternateIdLogin* attribute set to *"Enabled": true*: