With the release of Update 1 for Windows Server 2012 R2, Microsoft has added the ability within Active Directory Federation Services (ADFS) to use an alternate Login ID for Office 365. This is a huge new benefit for some companies. Up until now the only Login ID that was able to be used was the UserPrincipalName (UPN) attribute. While this works well for most companies, some had issues with it. Some companies did not have an Internet routable UPN domain suffix, or the UPN did not match the users email address. Now you can configure the Mail attribute to be the Logon ID, this will ensure that companies can just have their users user their email address for logon, and this greatly helps with end user adoption and experience.
Here is the article explaining this new change.
Here is my walkthrough setting this up in my lab environment:
- Ensure you have Update 1 for Server 2012 R2 installed on all ADFS 3.0 servers
- I configured one of my test accounts with the Email attribute of Cloudtest@thecloudadvocate.com
- As you can see this is different than the UPN for the user
- I then ran the command to convert to using the Mail attribute for Logon ID
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests office365evangelist.com
- I then went to Portal.MicrosoftOnline.com and entered the email address as the username
- Hitting the tab key redirected me to my customized ADFS 3.0 Forms Based Authentication page
- Entering the password for the user got me into Office 365!
- Just to test I tried logging in with the UPN of the user
- This also works for logging in still!
This is a bonus, adding an Alternate Logon ID gives the company and user’s flexibility to use either the default UPN or the alternate Logon ID!