Authentication against Azure AD – Emailaddress vs User Principle Name

In a mobile and cloud world a lot of apps want to know who you are – better: what your [currently used] identity is.

For that there are two options for an app developer: 1. do it yourself [bad user experience, registering, password, no SSO, etc] 2. using a public cloud authentication mechanism like Azure Active Directory (AzuerAD or AAD).

As nowadays more and more users have an Office 365 account – and with that an AAD Identity – it is an obvious idea to authenticate against AAD esp. in an enterprise context even with (LOB) apps.

But there is (at least) one thing to have in mind when you have to authenticate against AAD:

AAD is expecting that you give your „User Principle Name“ (UPN, sometimes named as „your alias“) and your password [+Multifactor Authentication if enabled and requested] into the auth process.

BUT (!) there might be an obstacle. Dependent of how you or your IT organization has set up AAD you might get confused. I will share an example here:

There is a great service called „Sociabble“ which we use to expand our social marketing attempts through our employees [the „get“ for the employee is to enrich their social accounts so it’s a win (Microsoft)-win (employee) -win (reader)].
For using Sociabble you have to register your email address and authenticate e.g. against AAD [and other options available, we are using AAD].

And you probably see the issue already: it is easy to mix the registered email address and the UPN up.

E.g. there is a user called Maxi Mustermann. Her email address is maxi.mustermann@contoso.com and her UPN mamu@contoso.com.

Now Maxi has to know when and where to enter maxi.mustermann@contoso.com and when and where mamu@contoso.com, for Sociabble that means:

In the Sociabble logon screen you are asked for your (registered) email:

Login via „Email“ Address

And in the following AAD logon screen you have to enter your UPN/alias:

Azure AD Login – also stating „Email address“

So there is a huge likelihood that users mix this up! [Raised support cases, unhappy users, confusion, etc]

Therefor it is recommended that you have UPN===email address! See Prepare to provision users through directory synchronization to Office 365

Hope that helps!

Cheers

Stephanus


Beitrag veröffentlicht

in

von

Kommentare

Schreibe einen Kommentar