ADFS: Alternate login ID

Don’t wanne change a users UPN-suffix?

Previously that would be required for federating With Office 365 or any Microsoft Enterprise Cloud Service, but this about to change:

For different reasons why cant allways change the users UPN-suffix, due to Legacy software using the old none internet routeable domain name like: apalnes.local

But With this latest update to AD FS 3.0, maybe also AD FS 2.0 as the TechNet article describes this feature under Server 2012 aswell as Server 2012  R2, we can have Federated users without changing the users UPN-suffix, and we choose an alternate login ID. Describe more in the TechNet article.


But when we do this, we need to be aware of how this can affect Office 365.

DirSync will still sync the none routeable UPN-suffix, but as it doesn’t excist in WAAD/Office 365, the user will receive the domain as username, smtp address and sip address.

Unless, we have allready configured these attributes in Active Directory; smtp address and sip address.


Also see this TechNet blog about AlternateLoginID:

HEADSUP for the Lync Client as it will give users a popup prompt if the SIP address isn’t the same as your login ID. So even if you use alternate login id I will recommend it to be the same as your SMTP/SIP address. That way the login should work without a popup.


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts