Sign in to Azure AD using email as an alternate sign-in ID - Microsoft Sign In (2023)

  • Article
  • 15 minutes to read

monitoring

Signing in to Azure AD with email as an alternate sign-in ID is a public preview feature of Azure Active Directory. For more information about views, seeSupplemental Terms of Use for Microsoft Azure Previews.

Many organizations want to allow users to sign in to Azure Active Directory (Azure AD) with the same credentials as their on-premises directory environment. This approach, known as hybrid authentication, requires users to remember only one set of credentials.

Some organizations have not migrated to hybrid authentication for the following reasons:

  • By default, the Azure AD User Principal Name (UPN) is set to the same value as the on-premises UPN.
  • Changing the Azure AD UPN creates a mismatch between on-premises and Azure AD environments that can cause issues with specific applications and services.
  • For business or compliance reasons, the organization doesn't want to use the on-premises UPN to sign in to Azure AD.

To transition to hybrid authentication, you can configure Azure AD to allow users to sign in using their email address as an alternate sign-in ID. For example whenContosorenamed toFabrikam, instead of continuing to enter the legacyana@contoso.comUPN, email as alternative login ID can be used. To access an application or service, users must sign in to Azure AD with their non-UPN email address, e.gana@fabrikam.com.

Sign in to Azure AD using email as an alternate sign-in ID - Microsoft Sign In (1)

This article will show you how to enable and use email as an alternate sign-in ID.

before you start

Here's what you need to know about email as an alternate login ID:

  • The feature is available in the free edition of Azure AD and higher.
  • The function allows you to log in withproxy addresses, in addition to the UPN, for cloud-authenticated Azure AD users. Learn more about how this applies to business-to-business (B2B) collaboration in Azure ADB2BSection.
  • When a user logs in with a non-UPN email, theunique nameepreferred usernameClaims (if any) to theidentification markreturns the non-UPN email.
    • If the non-UPN email used is stale (no longer owned by the user), these claims return the UPN.
  • The feature supports managed authentication with Password Hash Sync (PHS) or Pass-Through Authentication (PTA).
  • There are two ways to configure the feature:
    • Home Realm Discovery (HRD)-Richtlinie- Use this option to enable the feature for the entire tenant. Global administrator rights required.
    • Phased Release Policy- Use this option to test the feature with specific Azure AD groups. Global administrator rights required. When you first add a security group for phased adoption, you are limited to 200 users to avoid a UX timeout. After adding the group, you can add more users directly to the group if needed.

show restrictions

In the current preview state, the following limitations apply to email as an alternate login ID:

  • user experience- Users can see their UPN even if they signed in with their non-UPN email address. The following example behavior can be seen:

    • The user is prompted to sign in with UPN when redirected to Azure AD sign-inlogin_hint=<non-UPN email>.
    • If a user signs in with a non-UPN email address and enters an incorrect password, the"Enter your password"Page changes to show the UPN.
    • On some Microsoft websites and applications, e.g. B. Microsoft Office, theAccount ManagerThe control that normally appears in the top-right corner may show the user's UPN instead of the non-UPN email used to sign in.
  • unsupported streams- Some flows currently do not support non-UPN email, such as B. the following:

    • Identity Protection does not match non-UPN emailsleaked credentialsrisk detection. This risk detection uses the UPN to match the leaked credentials. For more information, seeHow To: Investigate the risk.
    • If a user is logged in with a non-UPN email address, they cannot change their password. Azure AD Self-Service Password Reset (SSPR) should work as expected. During SSPR, the user can see their UPN when they verify their identity with a non-UPN email.
  • Unsupported Scenarios- The following scenarios are not supported. Enter a non-UPN email to:

    • Devices signed in a non-Azure AD hybrid
    • Azure AD joined devices
    • Devices not registered with Azure AD
    • Resource owner password (ROPC) credentials
    • Legacy authentication such as POP3 and SMTP
    • Skype for business
  • unsupported applications- Some third-party apps may not work as expected when they expectunique nameorpreferred usernameClaims are either immutable or always match a specific user attribute such as UPN.

  • logging- Changes to resource configuration in HRD policy are not explicitly reflected in audit logs.

  • Phased Release Policy- The following limitations apply only when the feature is enabled using the staging policy:

    • The feature does not work as expected for users included in other phased adoption policies.
    • The staging policy supports a maximum of 10 groups per resource.
    • The phased adoption policy does not support nested groups.
    • The phased adoption policy doesn't support dynamic groups.
    • Contact objects within the group prevent the group from being added to a staging policy.
  • double values- In a tenant, a cloud-only user's UPN can have the same value as the proxy address of another user syncing from on-premises directory. In this scenario, the cloud-only user cannot sign in with their UPN when the feature is enabled. More on this topic atsolve problemsSection.

Overview of alternate login ID options

To sign in to Azure AD, users enter a value that uniquely identifies their account. In the past, you could only use the Azure AD UPN as a sign-in ID.

For organizations where the local UPN is the user's preferred sign-in email address, this approach was great. These organizations would set the Azure AD UPN to exactly the same value as the on-premises UPN and users would have a consistent sign-in experience.

(Video) Episode 187 - AAD Alternate Login ID and Sensitive by Default in SharePoint

Alternate login ID for AD FS

However, in some organizations, the local UPN is not used as the incoming identifier. In on-premises environments, you would configure on-premises AD DS to allow login with an alternate login ID. Setting the Azure AD UPN to the same value as the on-premises UPN is not an option as Azure AD would require users to sign in with that value.

Alternate ID for signing in to Azure AD Connect

The typical solution to this problem was to set the Azure AD UPN to the email address the user expects to sign in with. This approach works, although it results in different UPNs between on-premises AD and Azure AD, and this configuration is not supported for all Microsoft 365 workloads.

Email as an alternative login ID

Another approach is to sync Azure AD and on-premises UPNs with the same value, and then configure Azure AD to allow users to sign in to Azure AD with a verified email address. To provide this functionality, you define one or more email addresses in the user's account.proxy addressesattribute in the local directory.proxy addressesare then automatically synchronized with Azure AD via Azure AD Connect.

possibilitydescription
Alternate login ID for AD FSEnable sign-in with an alternative attribute (e.g. email) for AD FS users.
Alternate ID for signing in to Azure AD ConnectSync an alternate attribute (e.g. email) as UPN from Azure AD.
Email as an alternative login IDEnable verified domain loginproxy addressesfor Azure AD users.

Sync incoming email addresses to Azure AD

Traditional Active Directory Domain Services (AD DS) or Active Directory Federation Services (AD FS) authentication occurs directly on your network and is managed by the AD DS infrastructure. Hybrid authentication allows users to sign in directly to Azure AD.

To support this hybrid authentication approach, synchronize your on-premises AD DS environment with Azure AD using Azure ADAzure AD Connectand configure it to use PHS or PTA. For more information, seeChoose the right authentication method for your Azure AD hybrid identity solution.

With both configuration options, the user submits their username and password to Azure AD, which validates the credentials and issues a ticket. When users sign in to Azure AD, your organization doesn't need to host and manage an AD FS infrastructure.

One of the user attributes that is automatically synced from Azure AD Connect isproxy addresses. If users have an email address registered in the on-premises AD DS environment as part of theproxy addressesattribute, it is automatically synced to Azure AD. This email address can be used as an alternate sign-in ID directly in the Azure AD sign-in process.

Important

Only emails in verified domains for the tenant are synced to Azure AD. Each Azure AD tenant has one or more verified domains that you have proven ownership of and that are uniquely associated with your tenant.

For more information, seeAdd and verify a custom domain name in Azure AD.

B2B guest user login with an email address

Sign in to Azure AD using email as an alternate sign-in ID - Microsoft Sign In (2)

E-mail as an alternative login ID applies toAzure AD B2B collaborationunder a Bring Your Own Login Identifiers model. If email is enabled as an alternate sign-in ID in the first tenant, Azure AD users can perform guest sign-in using non-UPN email on the resource tenant endpoint. No action is required from the resource tenant to enable this functionality.

Enable user login with an email address

monitoring

This configuration option uses the HRD policy. For more information, seehomeRealmDiscoveryPolicy-Ressourcentyp.

Once user withproxy addressesAttributes applied are synced to Azure AD via Azure AD Connect, you must enable the feature to allow users to sign in using email as an alternate sign-in ID for your tenant. This feature instructs the Azure AD login servers to validate the login ID not only with UPN values, but also withproxy addressesValues ​​for the email address.

During the preview you mustglobal adminPermissions to enable sign-in using email as an alternate sign-in ID. You can configure the feature using the Azure portal or PowerShell.

Portal for Azure

  1. login inPortal for AzureAs aglobal admin.

  2. search and selectAzure Active Directory.

  3. Select from the navigation menu on the left side of the Azure Active Directory windowAzure AD Connect > E-Mail als alternative Anmelde-ID.

    (Video) WPO365 | Azure AD / Microsoft 365 based Single Sign-on for WordPress

    Sign in to Azure AD using email as an alternate sign-in ID - Microsoft Sign In (3)

  4. Click the check box next toEmail as an alternative login ID.

  5. Cliqueointment .

    Sign in to Azure AD using email as an alternate sign-in ID - Microsoft Sign In (4)

If the policy is in place, it can take up to an hour for it to propagate and allow users to sign in with their alternate sign-in ID.

Power Shell

monitoring

This configuration option uses the HRD policy. For more information, seehomeRealmDiscoveryPolicy-Ressourcentyp.

Once user withproxy addressesAttributes applied are synced to Azure AD via Azure AD Connect, you must enable the feature to allow users to sign in using email as an alternate sign-in ID for your tenant. This feature instructs the Azure AD login servers to validate the login ID not only with UPN values, but also withproxy addressesValues ​​for the email address.

During preview, you can currently only enable email as an alternate sign-in ID using PowerShell or the Microsoft Graph API. You needglobal adminPrivileges to perform the following steps:

  1. Open a PowerShell session as an administrator and install theMicrosoft.Graphmodule with theInstallationsmodulcmdlet:

    Microsoft.Graph-Installationsmodul

    For more information on installation seeInstall the Microsoft Graph PowerShell SDK.

  2. Sign in to your Azure AD tenant with theConectar-MgGraphcmdlet:

    Connect-MgGraph –Scopes „Policy.ReadWrite.ApplicationConfiguration“ –TenantId-Organisationen

    The command will ask you to authenticate yourself through a web browser.

  3. check whether aHomeRealmDiscoveryPolicyalready exists in your tenant that uses theGet-MgPolicyHomeRealmDiscoveryPolicycmdlets as follows:

    Get-MgPolicyHomeRealmDiscoveryPolicy
  4. If no policy is currently configured, the command returns nothing. If a policy is returned, skip this step and go to the next step to update an existing policy.

    to add thoseHomeRealmDiscoveryPolicyFor the tenant, use theNew-MgPolicyHomeRealmDiscoveryPolicycmdlet and set theAlternative IDLoginto assign"Enabled": trueas shown in the following example:

    $AzureADPolicyDefinition = @( @{ "HomeRealmDiscoveryPolicy" = @{ "AlternateIdLogin" = @{ "Enabled" = $true } } } | ConvertTo-JSON -Compress)$AzureADPolicyParameters = @{ Definition = $AzureADPolicyDefinition DisplayName = "BasicAutoAccelerationPolicy" AdditionalProperties = @{ IsOrganizationDefault = $true }}New-MgPolicyHomeRealmDiscoveryPolicy @AzureADPolicyParameters

    If the policy is successfully created, the command returns the ID of the policy, as shown in the following sample output:

    Definition DeletedDateTime Beschreibung DisplayName Id IsOrganizationDefault---------- --------------- ----------- -------- --- -- ---------------------{{"HomeRealmDiscoveryPolicy":{"AlternateIdLogin":{"Enabled":true}}}} BasicAutoAccelerationPolicy HRD_POLICY_ID Verdadeiro
  5. If a policy is already configured, verify that theAlternative IDLoginThe attribute is enabled as shown in the following sample policy output:

    Definition DeletedDateTime Beschreibung DisplayName Id IsOrganizationDefault---------- --------------- ----------- -------- --- -- ---------------------{{"HomeRealmDiscoveryPolicy":{"AlternateIdLogin":{"Enabled":true}}}} BasicAutoAccelerationPolicy HRD_POLICY_ID Verdadeiro

    If the policy exists, but theAlternative IDLoginAttribute that does not exist or is enabled, or if there are other attributes in the policy that you want to keep, update the existing policy usingUpdate-MgPolicyHomeRealmDiscoveryPolicycmdlet.

    Important

    When updating the policy, be sure to include all old and new settingsAlternative IDLoginAttribute.

    (Video) Azure AD User Sign in Methods in details | Lecture 87

    The following example adds theAlternative IDLoginattribute and preserves theAllowCloudPasswordValidationAttribute previously defined:

    $AzureADPolicyDefinition = @( @{ "HomeRealmDiscoveryPolicy" = @{ "AllowCloudPasswordValidation" = $true "AlternateIdLogin" = @{ "Enabled" = $true } } } | ConvertTo-JSON -Compress)$AzureADPolicyParameters = @{ HomeRealmDiscoveryPolicyId = "HRD_POLICY_ID " Definition = $AzureADPolicyDefinition DisplayName = "BasicAutoAccelerationPolicy" AdditionalProperties = @{ "IsOrganizationDefault" = $true }}Update-MgPolicyHomeRealmDiscoveryPolicy @AzureADPolicyParameters

    Confirm that the updated policy reflects your changes and that theAlternative IDLoginAttribute is now enabled:

    Get-MgPolicyHomeRealmDiscoveryPolicy

monitoring

If the policy is in place, it can take up to an hour for it to propagate and allow users to sign in using email as an alternate sign-in ID.

remove policies

To remove an HRD policy, use theRemove-MgPolicyHomeRealmDiscoveryPolicycmdlet:

Remove-MgPolicyHomeRealmDiscoveryPolicy -HomeRealmDiscoveryPolicyId „HRD_POLICY_ID“

Enable the phased rollout to test user login with an email address

monitoring

This configuration option uses the staging policy. For more information, seefeatureRolloutPolicy - The resource type.

The staging policy allows tenant admins to enable features for specific Azure AD groups. We recommend tenant admins use staging to test user sign-in with an email address. If admins are willing to deploy this feature across the tenant, they should use itpersonnel policy.

You needglobal adminPermissions to perform the following steps:

  1. Open a PowerShell session as an administrator and install theAzureADPreviewmodule with theInstallationsmodulcmdlet:

    Install the AzureADPreview module

    If prompted, selectYto install NuGet or install from an untrusted repository.

  2. Sign in to your Azure AD tenant asglobal adminUse ofConnect-AzureADcmdlet:

    Connect-AzureAD

    The command returns information about your account, your environment, and your tenant ID.

  3. List all existing staging policies using the following cmdlet:

    Get-AzureADMSFeatureRolloutPolicy
  4. If no phased adoption policies exist for this feature, create a new phased adoption policy and note the policy ID:

    $AzureADMSFeatureRolloutPolicy = @{ Feature = „EmailAsAlternateId“ DisplayName = „EmailAsAlternateId-Rollout-Richtlinie“ IsEnabled = $true}New-AzureADMSFeatureRolloutPolicy @AzureADMSFeatureRolloutPolicy
  5. Find the directoryObject ID for the group to add to the staging policy. Note the returned value for theidentityParameter because it will be used in the next step.

    Get-AzureADMSGroup -SearchString "Name of group to add to staging policy"
  6. Add the group to the phased rollout policy as shown in the example below. Replace the value in-IdentityParameter with the value returned for Policy ID in step 4 and replace the value in-RefObjectIdparameters with theidentitynoted in step 5. Group users can take up to 1 hour to sign in to Azure AD using email as an alternate sign-in ID.

    (Video) MFA Without the Authenticator App for Azure AD and Microsoft 365

    Add-AzureADMSFeatureRolloutPolicyDirectoryObject –Id „ROLLOUT_POLICY_ID“ –RefObjectId „GROUP_OBJECT_ID“

New members added to the group may take up to 24 hours to be able to sign in to Azure AD using email as an alternate sign-in ID.

remove groups

To remove a group from a staged rollout policy, run the following command:

Remove-AzureADMSFeatureRolloutPolicyDirectoryObject –Id „ROLLOUT_POLICY_ID“ –ObjectId „GROUP_OBJECT_ID“

remove policies

To remove a phased rollout policy, first disable the policy and remove it from the system:

Set-AzureADMSFeatureRolloutPolicy -Id „ROLLOUT_POLICY_ID“ -IsEnabled $false Remove-AzureADMSFeatureRolloutPolicy -Id „ROLLOUT_POLICY_ID“

Test the user login with an email address

To test whether users can sign in via email, go tohttps://myprofile.microsoft.comand sign in with a non-UPN email, e.gbalas@fabrikam.com. The login experience should be similar to logging in with the UPN.

solve problems

If users are having trouble signing in with their email address, check the following troubleshooting steps:

  1. Make sure at least 1 hour has passed since email was activated as an alternative login ID. If the user was recently added to a phased adoption policy group, ensure that at least 24 hours have passed since the user was added to the group.

  2. When using the HRD policy, confirm that Azure ADHomeRealmDiscoveryPolicyhas theAlternative IDLoginDefinition property set to"Enabled": trueit is atIsOrganizationDefaultproperty defined asReal:

    Get-AzureADPolicy | Where-Object Type -eq "HomeRealmDiscoveryPolicy" | Liste der Formate *

    If you're using the phased adoption policy, confirm that Azure ADFeatureRolloutPolicyhas theactivatedproperty defined asReal:

    Get-AzureADMSFeatureRolloutPolicy
  3. Make sure the user account email address is defined in theproxy addressesno Azure AD attribute.

login logs

Sign in to Azure AD using email as an alternate sign-in ID - Microsoft Sign In (5)

You can check thoseNon-Azure AD sign-in logsFor more information. Registrations with email as an alternative registration ID will be issuedProxy-AddressnoLogin-ID-Typfield and the username entered in theLogin IDcampo.

Conflicting values ​​between cloud-only and synced users

Within a tenant, a cloud-only user's UPN can take the same value as the proxy address of another user syncing from the on-premises directory. In this scenario, the cloud-only user cannot sign in with their UPN when the feature is enabled. Here are steps to spot instances of this problem.

  1. Open a PowerShell session as an administrator and install theAzureADPreviewmodule with theInstallationsmodulcmdlet:

    Install the AzureADPreview module

    If prompted, selectYto install NuGet or install from an untrusted repository.

  2. Sign in to your Azure AD tenant asglobal adminUse ofConnect-AzureADcmdlet:

    Connect-AzureAD
  3. Get affected users.

    # Get all users$allUsers = Get-AzureADUser -All $true# Get list of proxy addresses of all synced users$syncedProxyAddresses = $allUsers | where object {$_.ImmutableId} | Select-Object -ExpandProperty ProxyAddresses | ForEach-Object {$_ -Replace "smtp:", ""}# Get list of user principal names of all cloud-only users$cloudOnlyUserPrincipalNames = $allUsers | Where-Object {!$_.ImmutableId} | Select-Object -ExpandProperty UserPrincipalName# Get intersection of two lists$duplicateValues ​​​​​​= $syncedProxyAddresses | Where-Object {$cloudOnlyUserPrincipalNames -Contains $_}
  4. To generate affected users:

    # Saída afetada usuários sincronizados$allUsers | Where-Object {$_.ImmutableId -And ($_.ProxyAddresses | Where-Object {($duplicateValues ​​​​| ForEach-Object {"smtp:$_"}) -Contém $_}).Length -GT 0} | Select-Object ObjectId, DisplayName, UserPrincipalName, ProxyAddresses, ImmutableId, UserType# Where-Object {!$_.ImmutableId -E $duplicateValues ​​​​-Contém $_.UserPrincipalName} | ObjectId Select-Object, DisplayName, UserPrincipalName, ProxyAddresses, ImmutableId, UserType
  5. To send affected users to CSV:

    # Saída de usuários afetados para CSV$allUsers | Where-Object { ($_.ImmutableId -And ($_.ProxyAddresses | Where-Object {($duplicateValues ​​​​| ForEach-Object {"smtp:$_"}) -Contém $_}).Length -GT 0 ) - Ou (!$_.ImmutableId -E $duplicateValues ​​​​-Contém $_.UserPrincipalName) } | Select-Object ObjectId, DisplayName, UserPrincipalName, @{n="ProxyAddresses"; e={$_.ProxyAddresses -Join ','}}, @{n="IsSyncedUser"; e={$_.ImmutableId.Length -GT 0}}, Benutzertyp | Export-Csv -Pfad .\AffectedUsers.csv -NoTypeInformation

Next Steps

For more information on hybrid identities such as Azure AD App Proxy or Azure AD Domain Services, seeHybrid Azure AD identity to access and manage on-premises workloads.

For more information on hybrid identity operations, seeHow to sync password hashorPass-through authenticationsynchronization job.

FAQs

How to Sign in to Azure AD with email as an alternate login ID? ›

Sign in to the Azure portal as a Global Administrator. Search for and select Azure Active Directory. From the navigation menu on the left-hand side of the Azure Active Directory window, select Azure AD Connect > Email as alternate login ID.

How do I sign into my Azure AD with Microsoft account? ›

To enable users to sign in using a Microsoft account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

How do I change my alternate ID in Azure AD Connect? ›

Alternate ID in Azure AD

Existing UPN cannot be changed due to local application dependencies or company policies. Azure AD and Office 365 require all domain suffixes associated with Azure AD directory to be fully internet routable.

How do I alternate email in Azure Active Directory? ›

Log in to your Azure AD portal with your administrator account credentials at https://portal.azure.com. Select Azure AD Connect. Under User Sign-In, select Email as alternate login ID . Enable Email as an alternate login ID, then click Save.

How do I log into my ad as a different user? ›

How do I login as a different user when Active Directory SSO is enabled?
  1. Hold 'Shift' and right-click on your browser icon on the Desktop/Windows Start Menu.
  2. Select 'Run as different user'.
  3. Enter the login credentials of the user you wish to use.
Jun 15, 2018

Can UPN and email be different? ›

Is a UPN the same as an email address? A UPN is not the same as the user's email address. In many cases they are the same value for ease of use, but UPN and email have different internal uses and are defined in different active directory attributes. The UPN can be adjusted by an administrator to a different value.

How do I change my user sign-in Azure AD? ›

Go to Azure Active Directory > Users and select a user. There are two ways to edit user profile details. Either select Edit properties from the top of the page or select Properties. After making any changes, select the Save button.

How do I change the user sign-in method in Azure AD Connect? ›

Changing the user sign-in method

Select Change user sign-in from the list of tasks. On the next page, you're asked to provide the credentials for Azure AD. On the User sign-in page, select the desired user sign-in.

Do you need a Microsoft account to sign up for Azure? ›

Do I need a Microsoft account to sign up for Azure? You can sign up with either a Microsoft account or a GitHub account.

What is alternate ID in Azure AD? ›

Alternate login ID allows you to configure a sign-in experience where users can sign-in with an attribute other than their UPN, such as mail. To enable Alternate login ID with Azure AD, no additional configurations steps are needed when using Azure AD Connect. Alternate ID can be configured directly from the wizard.

How do I change the default authentication on an Azure AD? ›

Browse to Azure Active Directory > Users > All users. Choose the user for whom you wish to add an authentication method and select Authentication methods. At the top of the window, select + Add authentication method. Select a method (phone number or email).

Can I change the UPN in Azure AD? ›

You can also change a user's UPN in the Azure AD admin center by changing their username. And you can change a UPN by using Microsoft PowerShell. A user's UPN (used for signing in) and email address can be different. If you just need to add a new email address for a user, you can add an alias without changing the UPN.

What is alternate email on Microsoft account? ›

An alias is another email address or phone number that works with the same account.
  1. Sign in to Manage how you sign in to Microsoft. ...
  2. Select Add email or Add phone number.
  3. Follow the instructions to add a new email address or phone number to your Microsoft account aliases.

Can I use email for Microsoft MFA? ›

Set up your email address from the Security info page

Depending on your organization's settings, you might be able to use your email address as one of your security info methods. Note: We recommend using an email address that doesn't require your network password to access.

How do I change my Microsoft account alternate email? ›

In the header, select your profile icon > My account > Security Info. In the Security info tab, select Add Method > Phone > Alternate Phone or Email to add details. To update your mobile, phone, and alternate email address details, select Change.

What is the difference between local login and domain login? ›

A local logon grants a user permission to access resources on the local computer or resources on networked computers. If the computer is joined to a domain, then the Winlogon functionality attempts to log on to that domain. A domain logon grants a user permission to access local and domain resources.

How do I change my ad account ID? ›

Go to Ads Manager. Select the account dropdown menu in the upper left. You should see your account name, followed by the account id number in parentheses. Choose a different ad account from the dropdown.

How do I log into a local account instead of a domain in Windows 10? ›

Switch your Windows 10 device to a local account
  1. Save all your work.
  2. In Start , select Settings > Accounts > Your info.
  3. Select Sign in with a local account instead.
  4. Type the user name, password, and password hint for your new account. ...
  5. Select Next,then select Sign out and finish.

Does UPN need to match email address? ›

The UPN doesn't need to match their email address, though it typically is their email address. Active Directory also keeps another field for email which may be blank based on the AD implementation. In 365, users log in with their UPN identifier rather than the value stored in their email field.

Why should UPN match email? ›

By convention, this should map to the user's email name. The point of the UPN is to consolidate the email and logon namespaces so that the user only needs to remember a single name.

What is the difference between userPrincipalName and email? ›

In Windows Active Directory, a User Principal Name (UPN) is the name of a system user in an email address format. A UPN (for example: john.doe@domain.com) consists of the user name (logon name), separator (the @ symbol), and domain name (UPN suffix). A UPN is not the same as an email address.

What happens if you change user logon name in Active Directory? ›

Show activity on this post. Changing user logon name should not have any impact. It will not change permissions, membership of user ( because user's SID remains unchanged). But some application can depend on user's former name, so checking one before make change to bulk users.

Which three authentication methods can Azure Active Directory users use to reset their password? ›

The following authentication methods are available for SSPR: Mobile app notification. Mobile app code. Email.

How do you ensure that Azure AD users can Sign in to Azure VMS joined to the Azure AD DS domain? ›

On the Management tab, select the Login with Azure AD checkbox in the Azure AD section. Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Azure AD.

Is Microsoft account different from Azure account? ›

There is no synchronization of user account information between Microsoft Accounts and Azure Active Directory, like you can achieve with Active Directory and Azure Active Directory. This is due to the separation of that consumer versus business identity platform.

Do you need Microsoft account to Sign in? ›

A Microsoft account is usually required to install and activate Office versions 2013 or later, and Microsoft 365 Family or Personal.

Do you need a Microsoft email to have a Microsoft account? ›

You can create an Outlook.com or Microsoft account with a new email address or use an existing email address from a third-party email account, such as Gmail or Yahoo, but there are certain limitations when using a third-party email address as the primary alias for your Microsoft account.

What are the two types of authentication Microsoft Azure Active Directory uses? ›

How each authentication method works
MethodPrimary authenticationSecondary authentication
Microsoft Authenticator appYesMFA and SSPR
FIDO2 security keyYesMFA
Certificate-based authentication (preview)YesNo
OATH hardware tokens (preview)NoMFA and SSPR
5 more rows
Sep 7, 2022

What are the 3 main identity types used in Azure AD? ›

- [Instructor] The exam may test your knowledge of the identity types available in Azure Active Directory. And for the exam, there are four different identity types that you'll want to be familiar with: the user, service principle, managed identity, and device.

What is an alternate UPN? ›

The default UPN suffix for a user account is the Domain Name System (DNS) domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users.

How do I change my default Microsoft authentication method? ›

To change your default security info method
  1. On the Security info page, select Change next to the Default sign-in method information.
  2. Choose Microsoft Authenticator - notification from the list of available methods. ...
  3. Select Confirm.

Which are the authentication mechanism options available in Azure AD? ›

Additional resources
  • Microsoft Authenticator authentication method - Azure Active Directory - Microsoft Entra. ...
  • Combined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra. ...
  • Protecting authentication methods in Azure Active Directory - Microsoft Entra.
Jan 24, 2023

How do I change my Microsoft authentication device? ›

Add a trusted device to your Microsoft account
  1. On the device you want to trust, go to the Security settings page and sign in to your Microsoft account.
  2. You'll be prompted to verify your identity. ...
  3. Select the check box for Don't ask me again on this device.
  4. Select Verify.

What is UPN in Azure AD? ›

The User Principal Name (UPN) attribute is an internet communication standard for user accounts. A UPN consists of a prefix (user account name) and a suffix (DNS domain name). The prefix joins the suffix using the "@" symbol. For example, someone@example.com.

How do I change my UPN prefix in Azure AD? ›

If you wanted to change a UPN, you would change it in AD, run a sync then have to manually change it in AAD by running the MSonline command “Set-MsolUserPrincipalName” to change the AAD UPN.

What is a UPN in Active Directory? ›

In Microsoft's Active Directory the User Principal Name (UPN) is the unique sign in name or username, that uniquely identifies a user in the Directory. Microsoft uses Azure Active Directory (Azure AD) for all it's online business services (like Microsoft 365, Office 365, Dynamics 365, Power Apps, Azure, etc.)

How do I make my alternate email my main email? ›

You can add a non-Gmail email address to your account and use it to sign in, recover your password, and more.
  1. In your Google Account, open the Personal info tab.
  2. Under "Contact info," select Email.
  3. Under "Alternate emails," click Add alternate email.
  4. Enter an email address you own and select Add.

Can you reuse an email for a Microsoft account? ›

No, any Microsoft addresses in a deleted account cannot be used again.

How do I use alternate email? ›

Add an alternate email address
  1. Open your Google Account. You might need to sign in.
  2. Select Personal info.
  3. Under "Contact info," click Email.
  4. Next to "Alternate emails," select Add alternate email or Add other email. You may need to sign in again. ...
  5. Enter an email address you own. Select Add.

How do I bypass Microsoft two step verification? ›

To turn two-step verification on or off:
  1. Go to Security settings and sign in with your Microsoft account.
  2. Under the Two-step verification section, choose Set up two-step verification to turn it on, or choose Turn off two-step verification to turn it off.
  3. Follow the instructions.

How do I add an email account to Microsoft Authenticator? ›

Add account to Microsoft Authenticator
  1. Open the Microsoft Authenticator app on your phone.
  2. Tap the + > Work or school account.
  3. Use your phone to scan the QR square that is on your computer screen. Notes: ...
  4. Your account will be added automatically to the app and will display a six-digit code.

Is email a good MFA? ›

Email 2FA remains the most unsecure of all the approaches, simply because an email address is not tied to a specific device and it's possible to compromise a large number of accounts once you have someone's email password.

Can I change my Microsoft account login? ›

How to change Microsoft account in Windows 10
  1. Open Windows Settings (Windows key + I).
  2. Then click Accounts and then click on Sign in with a local account instead.
  3. Then sign out of the account and sign in back.
  4. Now open Windows Setting again.
  5. Then click on Accounts and then click on Sign in with a Microsoft Account.
Jun 14, 2019

How do I change the Microsoft account linked to? ›

Select Start , select and hold (or right-click) the account name icon (or picture), then select Switch user. Select the Start button on the taskbar. Then, on the left side of the Start menu, select the account name icon (or picture), then select a different user to switch to their account.

How do I sign into my alternate email? ›

Add an alternate email address
  1. Open your Google Account. You might need to sign in.
  2. Select Personal info.
  3. Under "Contact info," click Email.
  4. Next to "Alternate emails," select Add alternate email or Add other email. You may need to sign in again. ...
  5. Enter an email address you own. Select Add.

Can I sign up to Azure with Gmail account? ›

To enable sign-in for users with a Google account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in Google Developers Console. For more information, see Setting up OAuth 2.0. If you don't already have a Google account you can sign up at https://accounts.google.com/signup .

How do I log into Azure with Gmail? ›

Sign in to the Azure portal and navigate to your app. Select Authentication in the menu on the left. Click Add identity provider. Select Google in the identity provider dropdown.

What is alternate email ID example? ›

For example, the Solarmora.com admin assigned Emily the email alias support@solarmora.com. To read and respond to messages sent to the alias, Emily signs in to her email account emily@solarmora.com.

What is alternate email id? ›

An additional email address that you can use to sign in to your Google Account.

Can I use Gmail instead of Microsoft account? ›

What is a Microsoft account? A Microsoft account is an email address and password that you use with Outlook.com, Hotmail, Office, OneDrive, Skype, Xbox, and Windows. When you create a Microsoft account, you can use any email address as the user name, including addresses from Outlook.com, Yahoo! or Gmail.

How do I log into Azure without a browser? ›

If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.

How do I use Azure AD as identity provider for Google? ›

Sign in to the Azure portal as an External Identity Provider Administrator or a Global Administrator. In the left pane, select Azure Active Directory. Select External Identities. Select All identity providers, and then select the Google button.

How do I use Azure email service? ›

  1. Setting up. Create a new Node. ...
  2. Authenticate the client. Import the EmailClient from the client library and instantiate it with your connection string. ...
  3. Send an email message. To send an Email message, you need to. ...
  4. Getting MessageId to track email delivery. ...
  5. Getting status on email delivery. ...
  6. Run the code. ...
  7. Advanced.
Feb 9, 2023

Videos

1. Using Single Sign-On (SSO) with Office Add-ins
(Microsoft 365 Developer)
2. How to get started with hybrid identity in Azure Active Directory
(Microsoft Azure)
3. Temporary Access Pass in Azure AD
(Travis Roberts)
4. Devops Training Videos for Beginners +91 8886552866
(UpdateKaro)
5. Microsoft Teams – Authentication and Single Sign-on
(Microsoft 365 Developer)
6. How to set up authenticator on a new phone | Azure Active Directory
(Microsoft Azure)

References

Top Articles
Latest Posts
Article information

Author: Duncan Muller

Last Updated: 08/08/2023

Views: 6174

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Duncan Muller

Birthday: 1997-01-13

Address: Apt. 505 914 Phillip Crossroad, O'Konborough, NV 62411

Phone: +8555305800947

Job: Construction Agent

Hobby: Shopping, Table tennis, Snowboarding, Rafting, Motor sports, Homebrewing, Taxidermy

Introduction: My name is Duncan Muller, I am a enchanting, good, gentle, modern, tasty, nice, elegant person who loves writing and wants to share my knowledge and understanding with you.