Hello,
Thank you so much for posting here.
If the domain user (aa@afg .com) would like to log on with the email address (aa@Karima ben .com), alternative UPN suffixes could solve the problem. The solution is as shown below.
1, Open the AD Domains and Trusts, click the AD Domains and Trusts and choose "Properties". Add the alternative UPN suffixes, for example, hotmail.com.
2, Then configure the User logon name as shown below.
3, The user could log on with aa@Karima ben .com. After successfully logging in, use the whoami command to verify the currently logged-in user, the user name displayed is still BOOK\aa.
"You can use Active Directory Domains and Trusts to add user principal name (UPN) suffixes for the existing user account. The default UPN suffix for a user account is the Domain Name System (DNS) domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is used only within the Active Directory forest, and it is not required to be a valid DNS domain name."
UPN suffix will give user the ability to use a friendly user-logon name that does not match the domain's or parent domains' naming structure, but the original domain name authentication won’t be affected.
For more information, we could refer to:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772007(v=ws.11)?redirectedfrom=MSDN
For any question, please feel free to contact us.
Best regards,
Hannah Xiong