Azure AD integration with LMS system for authentication in case of email ID for sign-in different from UPN

Question

Hello there,

In our organization, Azure AD was having emails with domain name1 and domain name 2.    When Org created separate email ids,  the previous email ID became our UPN (User Principal Name).  Irrespective of the email id we use to login (either old or new), AzureAD identifies users with their UPN, especially when AD share user info to external SaaS products.    Now the issue is that we'd need to integrate our Org SSO (Azure AD) with one of LMS system for authentication. Due to this dual domains email ID, we are unable to proceed further. The root cause is that how to form rule to authenticate. because for the new joiners, only one domain name 1 is available.

Your response would be helpful for the integration.

Answer 1

Hi @Rajamoni, Radha (Contractor) , you can configure Azure AD to let users sign in with their email as an alternate login ID. This can be helpful in cases where the on-premises UPN is different from the email ID used for sign-in. The feature supports managed authentication with Password Hash Sync (PHS) or Pass-Through Authentication (PTA).

To enable email as an alternate login ID, you can use either the Home Realm Discovery (HRD) policy or the Staged rollout policy. The HRD policy enables the feature for the entire tenant, while the Staged rollout policy allows you to test the feature with specific Azure AD groups.

Please note that there are some limitations and unsupported scenarios in the current preview state of this feature. For example, it doesn't support Hybrid Azure AD joined devices, Azure AD joined devices, Resource Owner Password Credentials (ROPC), and some third-party applications. Make sure to review these limitations before implementing the solution.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James