Azure AD – Password less with FIDO2 now in preview for hybrid deployments
As you may be already aware, support for password less with FIDO2 keys has been in preview for quite some time already for Azure AD Joined devices...
1 min read
For those who have been working with Active Directory Federation Services (AD FS), you already know you could configure an Alternate Login ID to sign in with your AD FS environment.
An Alternate Login ID allows you to use your email address instead of your UPN (User Principal Name) to sign in.
As a best practice/recommendation, UPN and email address should be identical but there is situations where this can not be the case, such as:
- company merge or rebrand
- business or compliance reasons when on-premises UPN can not be used for authentication
Well, until now this was not possible to define an Alternate Login ID to sign in with Azure Active Directory (Azure AD).
This option is now available in preview.
If you want to use this new authentication capability, you will need to use Azure AD Preview PowerShell module, synchronize your directory with Azure AD with either Password Hash Sync (PHS) or Pass-Through Authentication (PTA).
- Download and install the Azure AD Preview module using the PowerShell command
Install-Module AzureADPreview
NOTE if you already have a version of Azure AD PowerShell module installed, you will have to uninstall it
- Then you connect to your Azure AD and check if you already have a policy in place (if not just create one)
Connect-AzureAD
- Check if you already have a policy in place associated with the HomeRealmDiscoveryPolicy type using
Get-AzureADPolicy
- If you already have a policy in place, check if the Alternate Login ID is already enabled (should not) and then update the policy to enable the Alternate Login ID
Get-AzureADPolicy | where-object {$_.Type -eq “HomeRealmDiscoveryPolicy”} | fl *
Set-AzureADPolicy -id <the policy ID> -Definition @(‘{“HomeRealmDiscoveryPolicy” :”AllowCloudPasswordValidation”:true,”AlternateIdLogin”:{“Enabled”: true}}}’) -DisplayName “BasicAutoAccelerationPolicy” -IsOrganizationDefault $true -Type “HomeRealmDiscoveryPolicy”
- If you don’t have a policy, you can create a new one and set the Alternate Login ID enabled at once with
New-AzureADPolicy -Definition @(‘{“HomeRealmDiscoveryPolicy” :{“AlternateIdLogin”:{“Enabled”: true}}}’) -DisplayName “BasicAutoAccelerationPolicy” -IsOrganizationDefault $true -Type “HomeRealmDiscoveryPolicy”
![image_thumb[1]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb1-180.png "image_thumb[1]"){kind=small}
![image_thumb[2]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb2-143.png "image_thumb[2]"){kind=small}
![image_thumb[3]](https://20001872.fs1.hubspotusercontent-na1.net/hubfs/20001872/Imported_Blog_Media/image_thumb3-116.png "image_thumb[3]"){kind=small}
Now you are ready to use the Alternate Login ID capability.
Now your users can use their email address (any of the address in the Proxy Address attribute of their account) to logon to your Azure AD/Office 365 (or any application using Azure AD authentication).