Azure AD – You can now use an Alternate Login ID to sign in (preview)

For those who have been working with Active Directory Federation Services (AD FS), you already know you could configure an Alternate Login ID to sign in with your AD FS environment.

An Alternate Login ID allows you to use your email address instead of your UPN (User Principal Name) to sign in.

As a best practice/recommendation, UPN and email address should be identical but there is situations where this can not be the case, such as:

  • company merge or rebrand
  • business or compliance reasons when on-premises UPN can not be used for authentication

Well, until now this was not possible to define an Alternate Login ID to sign in with Azure Active Directory (Azure AD).

This option is now available in preview.

If you want to use this new authentication capability, you will need to use Azure AD Preview PowerShell module, synchronize your directory with Azure AD with either Password Hash Sync (PHS) or Pass-Through Authentication (PTA).

  • Download and install the Azure AD Preview module using the PowerShell command

Install-Module AzureADPreview

NOTE if you already have a version of Azure AD PowerShell module installed, you will have to uninstall it

  • Then you connect to your Azure AD and check if you already have a policy in place (if not just create one)


  • Check if you already have a policy in place associated with the HomeRealmDiscoveryPolicy type using


  • If you already have a policy in place, check if the Alternate Login ID is already enabled (should not) and then update the policy to enable the Alternate Login ID

Get-AzureADPolicy | where-object {$_.Type -eq “HomeRealmDiscoveryPolicy”} | fl *

Set-AzureADPolicy -id <the policy ID> -Definition @(‘{“HomeRealmDiscoveryPolicy” :”AllowCloudPasswordValidation”:true,”AlternateIdLogin”:{“Enabled”: true}}}’) -DisplayName “BasicAutoAccelerationPolicy” -IsOrganizationDefault $true -Type “HomeRealmDiscoveryPolicy”

  • If you don’t have a policy, you can create a new one and set the Alternate Login ID enabled at once with

New-AzureADPolicy -Definition @(‘{“HomeRealmDiscoveryPolicy” :{“AlternateIdLogin”:{“Enabled”: true}}}’) -DisplayName “BasicAutoAccelerationPolicy” -IsOrganizationDefault $true -Type “HomeRealmDiscoveryPolicy”

image_thumb  image_thumb[1]  image_thumb[2]  image_thumb[3]

Now you are ready to use the Alternate Login ID capability.

Now your users can use their email address (any of the address in the Proxy Address attribute of their account) to logon to your Azure AD/Office 365 (or any application using Azure AD authentication).