Set up an alternate login ID (2023)

  • Article
  • 14 minutes to read

What is an alternate login ID?

In most scenarios, users use their User Principal Names (UPNs) to sign in to their accounts. However, in some environments due to corporate policies or local line-of-business application dependencies, users may be using some other form of login.


The best practices recommended by Microsoft is to match the UPN to the primary SMTP address. This article addresses the small percentage of customers who are unable to correct their UPNs to match.

For example, they may use email id to login and it may be different from UPN. This is particularly common in scenarios where the UPN is not routable. Consider a Jane Doe user with UPNjdoe@contoso.localand email Jane may not even be aware of the UPN, since she has always used her email ID to log in. Using any other login method instead of UPN constitutes alternate identification. For more information about how the UPN is created, seeAzure AD UserPrincipalName Population.

Active Directory Federation Services (AD FS) allows applications federated through AD FS to log in with an alternate ID. This allows administrators to specify an alternative to the default UPN to use for login. AD FS now supports the use of any form of user ID that Active Directory Domain Services (AD DS) accepts. When configured for Alternate ID, AD FS allows users to sign in with the configured Alternate ID value, such as email ID. Using alternate IDs allows you to adopt SaaS providers like Office 365 without changing your on-premises UPNs. It also allows you to support line-of-business service applications with consumer-provided identities.

Alternative id sin Azure AD

An organization may need to use an alternate ID in the following scenarios:

  1. The local domain name is not routable ascontoso.localand, as a result, the default user principal name is not routable (jdoe@contoso.local). The existing UPN cannot be changed due to local application dependencies or company policies. Azure AD and Office 365 require that all domain suffixes associated with the Azure AD directory be fully routable over the Internet.
  2. The on-premises UPN is not the same as the user's email address, and to sign in to Office 365, users use the email address, and the UPN cannot be used due to organizational restrictions. AD FS allows users to sign in to Azure AD without changing their on-premises -UPN.

Configure alternate logon ID

Using Azure AD Connect We recommend using Azure AD Connect to configure the alternate login ID for your environment.

  • For a new Azure AD Connect setup, see Connect to Azure AD for detailed instructions on how to set up an alternate ID and AD FS farm.
  • For existing Azure AD Connect installations, see Change the user sign-in method for instructions on how to change the sign-in method to AD FS

When Azure AD Connect receives details about your AD FS environment, it automatically checks for the presence of the correct KB in your AD FS and configures AD FS for Alternate ID, including all rights rules required for Azure AD federation trust. No additional steps outside of the wizard are required to set up the alternate ID.


Microsoft recommends using Azure AD Connect to configure the alternate login ID.

Configure Alternate ID Manually

To configure the alternate login ID, you must perform the following tasks:

Configure your AD FS claims provider trusts to enable alternate login ID

  1. If you have Windows Server 2012 R2, make sure that KB2919355 is installed on all AD FS servers. You can get it through Windows Update Services or download it directly.

  2. Update the AD FS configuration by running the following PowerShell cmdlet on any of the federation servers in your farm (if you have a WID farm, you must run this command on the primary AD FS server in your farm):

Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID <atributo> -LookupForests <domínio da floresta>

Alternate login IDis the LDAP name of the attribute that you want to use for login.

SearchForestsis the DNS list of the forest to which your users belong.

To enable the alternate login ID feature, you must set the -AlternateLoginID and -LookupForests parameters to a valid non-null value.

In the following example, you are enabling the alternate login ID functionality so that users with accounts in the and forests can sign in to AD FS-enabled applications with the "mail" attribute.

Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests,
  1. To disable this feature, set the value of both parameters to null.
Set-AdfsClaimsProviderTrust -TargetIdentifier "AUTORIDAD DE ANUNCIOS" -AlternateLoginID $ NULL -LookupForests $ NULL

Hybrid Modern Authentication with Alternate ID


The following was tested only on AD FS and not on third-party identity providers.

Exchange and Skype for Business

If you use an alternate sign-in ID with Exchange and Skype for Business, the user experience varies depending on whether you use HMA or not.


For the best end-user experience, Microsoft recommends using hybrid modern authentication.

or more information see,Hybrid Modern Authentication Overview

Prerequisites for Exchange and Skype for Business

Below are the prerequisites for Alternate ID SSO.

  • Exchange Online must have modern authentication enabled.
  • Skype for Business (SFB) Online must have modern authentication enabled.
  • The on-premises Exchange must have modern authentication enabled. Exchange 2013 CU19 or Exchange 2016 CU18 and higher is required on all Exchange servers. No Exchange 2010 in the environment.
  • Skype for Business on-premises must have modern authentication enabled.
  • You must use Exchange and Skype clients with modern authentication enabled. All servers must be running SFB Server 2015 CU5.
  • Skype for Business clients with modern authentication capability
    • iOS, Android, Windows Phone
    • SFB 2016 (MA is enabled by default, but make sure it's not disabled.)
    • SFB 2013 (MA is OFF by default, so make sure MA is ON.)
    • Mac Desktop SFB
  • Exchange clients with modern authentication capability and support for AltID registry keys
    • Solo Office Pro Plus 2016

Supported version of Office

Configuring your directory for Alternate ID SSO

Using an alternate ID may result in additional authentication requests if these additional configurations are not completed. Please refer to the article to see the possible impact on the user experience of the alternate ID.

With the following additional configuration, the user experience is significantly improved and you can get almost zero authentication prompts for alternate ID users in your organization.

Step 1. Update to the required version of Office

Office version 1712 (Build #8827.2148) and later have updated the authentication logic to handle the alternate ID scenario. To take advantage of the new logic, client computers must be updated to Office version 1712 (Build #8827.2148) and higher.

Step 2. Upgrade to the required version of Windows

Windows version 1709 and higher have updated the authentication logic to handle the alternate ID scenario. To take advantage of the new logic, client machines must be updated to Windows version 1709 and higher.

Step 3. Configure enrollment for affected users using Group Policy

Office applications rely on information submitted by the directory administrator to identify the alternate ID environment. The following registry keys should be configured to help Office applications authenticate the user with the alternate ID without displaying any additional prompts.

registry key to addRegistry key data name, type, and valuewindows 7/8windows 10Description
HKEY_CURRENT_USER\Software\Microsoft\AuthNDomainHintREG_SZcontoso.comrequiredrequiredThe value of this registry key is a verified custom domain name on the organization's tenant. For example, Contoso corp can provide a value of in this registry key if is one of the verified custom domain names in the tenant
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IdentidadeEnableAlternateIdSupportREG_DWORD1Required for Outlook 2016 ProPlusRequired for Outlook 2016 ProPlusThe value of this registry key can be 1/0 to tell the Outlook application whether to enable Enhanced Alternate ID authentication logic.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Configuration\ZoneMap\Domains\\sts*REG_DWORD1requiredrequiredThis registry key can be used to define the STS as a trusted zone in the Internet settings. The default implementation of AD FS recommends adding the AD FS namespace to the local intranet zone for Internet Explorer.

New authentication flow after additional configuration

Set up an alternate login ID (1)

  1. a: User is provisioned in Azure AD using Alternate IDb - Directory admin pushes required registry key settings to affected client machines
  2. The user authenticates to the local machine and opens an office application
  3. The Office app uses local session credentials
  4. The Office app authenticates to Azure AD using the domain hint sent by the administrator and local credentials.
  5. Azure AD successfully authenticates the user, points to the correct federation domain, and issues a token

Applications and user experience after additional configuration

Non-Exchange and Skype for Business customers

ClientSupport for the statementComments
Microsoft Teamssupported
  • Microsoft Teams supports AD FS (SAML-P, WS-Fed, WS-Trust, and OAuth) and modern authentication.
  • Core Microsoft Teams functionality, such as channels, chats, and files, works with the alternate sign-in ID.
  • Customer must separately investigate third-party and third-party applications. This is because each app has its own supported authentication protocols.
  • OneDrive for BusinessSupported: Recommended client-side registry keyWith the alternate ID configured, you'll see the local UPN pre-populate in the verification field. This must be changed for the alternate identity being used. We recommend using the client-side registry key listed in this article: Office 2013 and Lync 2013 periodically prompt for credentials for SharePoint Online, OneDrive, and Lync Online.
    OneDrive for Business mobile clientsupported
    Office 365 Pro Plus activation pageSupported: Recommended client-side registry keyWith the alternate ID configured, you'll see the local UPN pre-populate in the verification field. This must be changed for the alternate identity being used. We recommend using the client-side registry key listed in this article: Office 2013 and Lync 2013 periodically prompt for credentials for SharePoint Online, OneDrive, and Lync Online.

    Client Exchange and Skype for Business

    ClientSupport statement - with HMASupport statement: no HMA
    PanoramaCompatible, without additional indicationssupported withmodern authenticationpara Exchange Online: SupportedWithnormal authenticationfor Exchange Online: supports the following warnings:
  • You must be on a machine joined to a domain and connected to the corporate network
  • You can only use alternate ID in environments that don't allow external access for mailbox users. This means that users can only supportively authenticate to their mailbox when they are connected and joined to the corporate network, through a VPN, or through pass-through machines, but you get some additional prompts when you set up your profile from Outlook .
  • Hybrid Public PastesCompatible, without additional indications.Commodern authenticationpara Exchange Online: SupportedWithnormal authenticationpara Exchange Online: no compatible
  • Hybrid public folders cannot be expanded using alternate IDs and therefore should not be used with regular authentication methods today.
  • Delegation between facilitiesverConfigure Exchange to support delegated mailbox permissions in a hybrid deploymentverConfigure Exchange to support delegated mailbox permissions in a hybrid deployment
    Access to the archive mailbox (local mailbox - cloud archive)Compatible, without additional indicationsSupported: Users are prompted for additional credentials when accessing the file, they must provide their alternate ID when prompted.
    Outlook web accesssupportedsupported
    Outlook mobile apps for Android, IOS and Windows Phonesupportedsupported
    Skype Empresarial/LyncSupported, no additional noticesSupported (except where noted), but there is a chance of user confusion. On mobile clients, alternate ID is only supported if SIP address = email address = alternate ID. Users may need to sign in to the Skype for Business desktop client twice, first with the local UPN and then with the alternate ID. (Note that "Login Address" is actually the SIP address, which may not be the same as "Username", although it often is.) When prompted for a username for the first time, the user must enter the UPN, even if it was incorrectly filled in with the Alternate ID or SIP address. After the user clicks enter UPN, the username prompt will appear again, this time pre-populated with the UPN. This time, the user should replace it with the alternate ID and click Sign In to complete the sign-in process. On mobile clients, users must enter their local user ID on the advanced page, using the SAM-style format (domain\username), not the UPN format. credentials", you must provide valid credentials for the mailbox location. If the mailbox is in the cloud, you will need to provide the Alternate ID. If the mailbox is on-premises, you will need to provide the on-premises UPN .

    Additional details and considerations

    • Azure AD offers different features related to 'Alternative Login ID'

      • An alternate login ID to AD FSsettingsappeal to the federated1identity infrastructure environments described in this article.
      • Azure AD Connect synchronizationsettingswhich defines which local attribute is used as the Azure AD username (userPrincipalName) for federated1the administered2identity infrastructure environments, which are partially covered in this article.
      • oSign in to Azure AD using email as alternate sign-in IDfeature for Managed2identity infrastructure environments.
    • The alternate login ID feature described in this article is available to federated users.1identity infrastructure environments. It does not support the following scenarios:

      • An AlternateLoginID attribute with non-routable domains (for example, Contoso.local) that Azure AD cannot verify.
      • Managed environments that do not have AD FS implemented. See Azure AD Connect synchronizationdocumentationor for himSign in to Azure AD using email as alternate sign-in IDdocumentation. If you choose to adjust your Azure AD Connect Sync configuration in a Managed2identity infrastructure environment, theApplications and user experience after additional configurationThe section of this article may still be applicable while the specific AD FS configuration is no longer applicable as AD FS is not deployed on a managed server.2identity infrastructure environment.
    • When enabled, the alternate login ID feature is only available for username/password authentication in all username/password authentication protocols supported by AD FS (SAML-P, WS-Fed, WS-Trust and OAuth).

    • When Windows Integrated Authentication (WIA) is performed (for example, when users try to access a corporate application on an intranet domain-joined machine and the AD FS administrator has configured the authentication policy to use WIA for authentication). intranet), the UPN is used for authentication. If you have configured any claim rules for relying parties for the alternate login ID feature, make sure those rules are still valid for WIA.

    • When enabled, the alternate login ID feature requires that at least one global catalog server be reachable from the AD FS server for each user account forest supported by AD FS. If a global catalog server in the user account's forest is not accessed, AD FS falls back to using the UPN. By default, all domain controllers are global catalog servers.

    • When enabled, if the AD FS server encounters more than one user object with the same specified alternate login ID value in all configured user account forests, the login will fail.

    • When the alternate login ID feature is enabled, AD FS attempts to authenticate the end user with the alternate login ID first, and then reverts to using the UPN if it cannot find an account that can be identified by the alternate login ID. alternate login. You must ensure that there are no conflicts between the alternate login id and the UPN if you still want to support UPN login. For example, setting one's email attribute to the other's UPN prevents the other user from signing in with their UPN.

    • If one of the administrator-configured forests is down, AD FS will continue to look for the user account with the alternate login ID in other configured forests. If the AD FS server finds a single user object in the searched forests, a user signs in successfully.

    • Additionally, you can customize the AD FS login page to provide end users with some alternate login ID suggestions. You can do this by adding your custom login page description (for more information, seeCustomizing the AD FS login pagesor customize the "Sign in with organization account" string above the username field (for more information, seeAdvanced customization of AD FS landing pages.

    • The new claim type that contains the alternate login ID value

    1ANDfederatedIdentity infrastructure environment represents an environment with an identity provider such as AD FS or another third-party IDP.

    2ANDAdministrationThe identity infrastructure environment represents an environment with Azure AD as the identity provider implemented withPassword Hash Synchronization (PHS)opass-thru authentication (PTA).

    Performance events and counters

    Added the following performance counters to measure the performance of AD FS servers when alternate login ID is enabled:

    • Alternate Login ID Authentications: Number of authentications performed with alternate login ID

    • Alternate Login ID Authentications/sec: Number of authentications performed with alternate login IDs per second

    • Average Lookup Latency for Alternate Login ID: Average lookup latency in forests that an administrator has configured for Alternate Login ID

    The following are various failure cases and the corresponding impact on a user's logon experience with events logged by AD FS:

    error casesImpact on the login experienceEvent
    Cannot get SAMAccountName value for user objectlogin failureEvent ID 364 with exception message MSIS8012: Cannot find samAccountName for user: '{0}'.
    The CanonicalName attribute is not accessiblelogin failureEvent ID 364 with exception message MSIS8013: User's CanonicalName: '{0}': '{1}' is malformed.
    Multiple user objects found in a forestlogin failureEvent ID 364 with exception message MSIS8015: Multiple user accounts with identity '{0}' found in forest '{1}' with identities: {2}
    Multiple user objects found in multiple forestslogin failureEvent ID 364 with exception message MSIS8014: Multiple user accounts with identity '{0}' found in forests: {1}

    see also

    AD FS operations

    Top Articles
    Latest Posts
    Article information

    Author: Van Hayes

    Last Updated: 02/01/2023

    Views: 6045

    Rating: 4.6 / 5 (66 voted)

    Reviews: 89% of readers found this page helpful

    Author information

    Name: Van Hayes

    Birthday: 1994-06-07

    Address: 2004 Kling Rapid, New Destiny, MT 64658-2367

    Phone: +512425013758

    Job: National Farming Director

    Hobby: Reading, Polo, Genealogy, amateur radio, Scouting, Stand-up comedy, Cryptography

    Introduction: My name is Van Hayes, I am a thankful, friendly, smiling, calm, powerful, fine, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.