ADFS [aad connect] cannot authenticate user throught alternative upn

Roman Havryliuk 41 Reputation points

Hello, guys.
In Azure I have several domains, two of them with federated status, like

On premise i have one domain, with alternative upn suffix, but all users set primary upn

AzureAD connect send users to azure with main upn like etc.

So, when i try to log in on, with login it works well, its send me to premise adfs and all good.

But when i try to log in with alternative upn,, cloud ( validate this login, but in adfs its says:

Incorrect user ID or password. Type the correct user ID and password, and try again.

In adfs logs appear exceptions:

eventid 342
Token validation failed.

Additional Data

Token Type:
%Error message: user name or password is incorrect

warning event id 1000

An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

eventid 364

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,209 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,822 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Roman Havryliuk 41 Reputation points

    Commandlet gives this outoutput

    Get-MsolDomainFederationSettings -DomainName ""
    ActiveLogOnUri :
    DefaultInteractiveAuthenticationMethod :
    FederationBrandName :
    IssuerUri :
    LogOffUri :
    MetadataExchangeUri :
    NextSigningCertificate :
    OpenIdConnectDiscoveryEndpoint :
    PassiveLogOnUri :

    0 comments No comments