You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/howto-authentication-use-email-signin.md
+10-6Lines changed: 10 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,12 +16,14 @@ ms.reviewer: scottsta
16
16
---
17
17
# Sign-in to Azure with an email address instead of the UPN (preview)
18
18
19
-
Many organizations want to let their users sign in to Azure Active Directory (Azure AD) using the same sign-in credentials as their on-premises directory environment. With this approach, hybrid authentication, users only need to remember one set of credentials - their user principle name (UPN). Some organizations haven't moved to hybrid authentication for the following reasons:
19
+
Many organizations want to let users sign in to Azure Active Directory (Azure AD) using the same credentials as their on-premises directory environment. With this approach, hybrid authentication, users only need to remember one set of credentials - their user principle name (UPN), such as `contoso\balas`.
20
20
21
-
* For the best compatibility across applications and services, the Azure AD UPN is set to the same UPN value used in your on-premises directory.
21
+
Some organizations haven't moved to hybrid authentication for the following reasons:
22
+
23
+
* For the best compatibility across applications and services, by default the Azure AD UPN is set to the same UPN value used in your on-premises directory.
22
24
* Due to business or compliance reasons, your organization doesn't use the on-premises UPN to sign in.
23
25
24
-
Azure AD previously required all users to sign in with their UPN. To help customers simplify their approach to hybrid authentication, you to configure Azure AD to allow users to sign in with their email address. With this approach, you enable your users to sign in with any email address set in their *ProxyAddresses* attribute. To sign in, users only need to know their email address, not their UPN.
26
+
Azure AD previously required all users to sign in with their UPN. To help customers simplify their approach to hybrid authentication, you can now configure Azure AD to let users sign in using their email address. To sign in, users would only need to know their email address, not their UPN.
25
27
26
28
||
27
29
| --- |
@@ -45,21 +47,23 @@ Organizations that can't use the UPN for user sign-in with Azure AD have a few o
45
47
46
48
Traditional Active Directory Domain Services (AD DS) or Active Directory Federation Services (AD FS) authentication happens directly on your network and is handled by your AD DS infrastructure. With hybrid authentication, users can instead sign in directly to Azure AD.
47
49
48
-
To support this hybrid authentication approach, you synchronize your on-premises AD DS environment to Azure AD using [Azure AD Connect][azure-ad-connect] and configure it to use Password Hash Sync (PHS) or Pass-Through Authentication (PTA). In both configuration options, the user submits their username and password to Azure AD, which validates the credentials and issues a ticket. When users sign in directly to Azure AD, it removes the need for your organization to host and manage an AD FS infrastructure.
50
+
To support this hybrid authentication approach, you synchronize your on-premises AD DS environment to Azure AD using [Azure AD Connect][azure-ad-connect] and configure it to use Password Hash Sync (PHS) or Pass-Through Authentication (PTA).
51
+
52
+
In both configuration options, the user submits their username and password to Azure AD, which validates the credentials and issues a ticket. When users sign in to Azure AD, it removes the need for your organization to host and manage an AD FS infrastructure.
49
53
50
54
51
55
52
56
53
57
54
-
For more information, see [Choose the right authentication method for your Azure AD hybrid identity solution][hybrid-auth-methods].
55
-
56
58
One of the user attributes that's automatically synchronized by Azure AD Connect is *ProxyAddresses*. If users have a sign-in email address set in the on-prem AD DS environment as part of the *ProxyAddresses* attribute, it's automatically synchronized to Azure AD. This email address can then be used directly in the Azure AD sign-in process.
57
59
58
60
> [!IMPORTANT]
59
61
> Only emails in verified domains for the tenant are synchronized to the cloud. Each Azure AD tenant has one or more verified domains, for which you have proven ownership, and are uniquely bound to you tenant.
60
62
>
61
63
> For more information, see [Add and verify a custom domain name in Azure AD][verify-domain].
62
64
65
+
For more information, see [Choose the right authentication method for your Azure AD hybrid identity solution][hybrid-auth-methods].
66
+
63
67
## Enable user sign-in with an email address
64
68
65
69
Once users with the *ProxyAddresses* attribute applied are synchronized to Azure AD using Azure AD Connect, you need to enable the feature for users to sign in with an email address for your tenant. This feature tells the Azure AD login servers to not only check the sign-in name against UPN values, but also against *ProxyAddresses* values for the email address.
0 commit comments