Some organizations can't use their on-premises user principal name (UPN) to authenticate their users by using Azure Active Directory or one of its associated services (such as Office 365, Azure, and Windows Intune). Common causes of this problem include:
- On-premises UPN is using a non-routable domain (single level domains or “.local”/”.intranet” domains
- Organizations can't change their on-premises UPN to use a different domain.
- Organizations wants to achieve single sign-on (SSO) but uses smart cards exclusively for on-premises user authentication. For example, end-users don't know their UPN and passwords.
Note Customers may experience a combination of these causes
What is alternate login ID?
Alternate login ID is a feature that was introduced in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 Update 1. Alternate login ID facilitates logon to AD FS by using an administratively defined user attribute. After it is configured, AD FS will prefer to locate the user account by the defined attribute first instead of by the UPN. Users will still be able to log on by using previously allowed methods.
You can also use alternate login ID without single sign-on (SSO) and AD FS by using cloud-managed sign-in and directory synchronization.
The Alternate attribute must be of a compatible data type to the UPN attribute in Active Directory. For schema details, see User-Principal-Name attribute .
Steps to set up alternate login ID
To learn more about how to enable and use alternate login ID, see the following document: