The best way to configure Alternate Login ID

Learn the prerequisites and general configuration steps before using Alternate Login ID to speed up an Office 365 install.

Office 365 includes a range of services, including Lync Online, SharePoint Online, OneDrive for Business, Office...

2013 and of course, Exchange Online. Although moving to Exchange Online used to be the first thing organizations wanted to do, it's now becoming common for organizations to start using other services, like OneDrive for Business or Lync Online, first.

Alternate Login ID is useful in these scenarios as it can help accelerate your pilot and deployment of Office 365. Once you have an understanding of Alternate Login ID's features, use cases and drawbacks, it's time to look into prerequisites and configuration steps.

You don't need to do much to get Alternate Login ID up and running. Ideally, you'll need the latest version of DirSync. You need to keep DirSync updated if you're using Office 365, anyway. (At time of writing, the current version is 6862.0000.)

You can use Password Sync with Alternate Login ID, but if you're planning on using Active Directory Federation Services, you'll need AD FS on Windows Server 2012 R2 (sometimes called AD FS 3.0) patched with Windows 8.1 update KB2919355, which is included as part of normal Windows Server updates.

Configure Alternate Login ID

Alternate Login ID is fairly simple to configure. TechNet provides detailed documentation on how to configure it and its supportability, but we'll walk through the required changes since the documentation makes the configuration sound harder than it actually is.

Changes for DirSync with Password Sync and AD FS users

We'll need to change the Attribute Flow in DirSync. To do this, open the Sync Service Manager on your DirSync server. This is usually located here:

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe

Select Active Directory Connector on the Management Agents tab, then choose Properties (Figure 1).

Active Directory Connector on the Management Agents tabFigure 1

Select Configure Attribute Flow, then Object Type: user. Scroll down and find the mapping for UserPrincipalName (Figure 2).

userprincipalname attributeFigure 2

Alter the Data Source Attribute to the new value, for example,mail. Select Direct as the mapping type, press Edit to update the attribute flow and choose OK to save (Figure 3).

PowerShell session to update Office 365Figure 3

Launch a PowerShell session to update Office 365. In testing, starting a full sync works best to make sure this change takes effect. Use the following commands:

Import-Module DirSync
Start-OnlineCoexistenceSync -FullSync

You should see that the Office 365 login ID is updated (Figure 4.)

Updated Office 365 login IDFigure 4

Additional Changes for AD FS users

If you're using AD FS, you'll also need to make two changes to the AD FS farm on the primary server.

First, launch a PowerShell session and use the following commands to set the Alternate Login ID. In our example, we use mail, as used in DirSync. Replace the LookupForests value with your AD Forest name, as follows:

Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests adforest.local

Next, open the AD FS Management Console and navigate to Trust Relationships > Relying Party Trusts. Select Microsoft Office 365 Identity Platform and choose Edit Claim Rules. In the Issuance Transform Rules tab, select the first rule (1) and choose Edit Rule (Figure 5).

Edit Rule in AD FS Management Console Figure 5

Finally, change userPrincipalName (UPN) to the new attribute, in this case, mail (Figure 6).

‘mail' as UPN attribute Figure 6

Login experience

The Alternate Login ID takes effect once the changes are complete. At that point, the login should be complete; it's a simple process.

Domain-joined machines using Windows Integrated Authentication will auto-login where they can use the current logged-in end user's credentials.

Where end users are prompted for a username, they will use the Alternate Login ID -- in our case, the email address for login (Figure 7). You're then free to update the UPN to match what suits you.

update the UPNFigure 7

What happens when you upgrade DirSync?

As you make changes to the default install of DirSync, you may wonder what happens when it's time to upgrade.

Since version 6385.0012 -- where Password Sync was first introduced -- in-place upgrades have been supported, retaining such changes as filtering. When upgrades were tested from version 6765.0006 to 6862.0000 -- two versions that supported Alternate Login ID -- changes had to be reapplied. Although this means the change is supported, watch out for this issue when you update DirSync in the future.

About the author:
Steve Goodman is an Exchange MVP, and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and [email protected]

Dig Deeper on Office 365 and Microsoft SaaS setup and management