Whether you are a customer who already has Office 365 workloads or you plan to introduce Office 365 workloads into your business, you may be faced with some questions surrounding the Office 365 login.
Are you planning to leverage directory synchronization to synchronize on-premises Active Directory with Office 365? Do you desire a hybrid configuration with either Exchange Online (EXO) or Skype for Business Online (SfBO)?
If you answered “Yes” to either of these questions, there is a more challenge dilemma for many customers using the User Principal Name (UPN) to authenticate to on-premises workloads. By default, the on-premises UPN determines the Office 365 login and SfBO SIP address.
Does the Office 365 login name need to match the primary email address for all users?
The answer is “it should” or you might introduce some heartache for yourself, IT and help desk staff and even worse, the end-user population. The Microsoft best practice can be summarized below for an optimal end-user experience:
– The Office 365 login or UPN should match the primary email address
– The SfBO login or SIP name should match the UPN
Thus, UPN = Email = SIP.
Here is a sample table of the optimal configuration:
Alright, I get the picture. But what if the on-premises UPN cannot be changed to match the primary SMTP address due to a technical limitation or integration with a third-party application?
Great question. Fortunately, there are some options. One of those options is Office 365 Alternate ID which is supported in hybrid configurations but not recommended. In this article, we will focus on the end-user experience when the on-premises UPN doesn’t match the primary email address in a standard hybrid configuration. This should help you understand the impact to the end-user population and whether you should consider other options. We’ll cover Office 365 Alternate ID in a future article.
For this simulated scenario, the following table represents the configuration:
All desktop application testing was conducted on a domain-joined workstation with the latest Office ProPlus applications. The on-premises Exchange and EXO were configured in a hybrid Exchange deployment. On-premises Lync/Skype was not included in this simulation. Azure AD Connect was configured for password synchronization. All mobile application testing was conducted on an iPhone (iOS device).
Office 365 ProPlus Sign-in and Activation
Office 365 ProPlus is a subscription-based license in Office 365 and requires the user provides their sign-in to activate the Office suite. This also provides access to Office files stored in their OneDrive for Business personal share or SharePoint Online.
The subscription-based activation process checks in with the Office licensing service daily which requires Internet connectivity. If a computer goes offline for more than 30 days, the activation process is triggered requiring the user to sign-in again to activate.
In the example below, the sign-in dialog asks the user for their email address.
Here is the failed attempt to sign-in with the email address:
Here is the second successful attempt where the user is required to change the email address to their Office 365 login:
Office 365 End-User Impact: The initial dialog asks for the user’s email address to sign-in and activate Office. Users must be educated to recognize when to use their Office 365 login or their Office 365 email address.
Outlook Profile Creation
During the initial launch of Outlook on a fresh Windows profile, Outlook automatically configures the required settings to connect to the EXO mailbox. This requires authentication to EXO web services.
Typically, this is only required when on-boarding a new user or when the Outlook profile is recreated due to corruption, upgrade/swap out of computer.
The email address is automatically populated for a domain-joined workstation where a user is logged in.
Since the user is logged into the workstation, the UPN is automatically populated but differs from the email address. Clicking Remember my credentials will suppress authentication prompts until the user’s password is changed.
Office 365 End-User Impact: So long as the computer is domain-joined, the UPN should be populated automatically. In many cases, users are accustomed to the DOMAIN\Username format which won’t work for EXO mailboxes. Users must be educated to recognize when to use their Office 365 login or their Office 365 email address to login to their mailbox.
Skype for Business
By default, the primary SIP address for SfBO is the Office 365 UPN. The primary SIP address should match the primary SMTP address as this is the address users would want to use for federation.
Here is the failed attempt to sign-in with the email address:
Here is the second successful attempt where the user is required to change the email address to their Office 365 login:
Office 365 End-User Impact: Once the user attempts to sign-in with their email address, the Skype for Business client stores the last username value so users must manually update the username to the Office 365 login under Options. Users must be educated to recognize when to use their Office 365 login or their Office 365 email address.
Office 365 Portal Login
When logging into the Office 365 portal, Outlook.com, and other Microsoft cloud workloads, the Office 365 login is required, not the email address.
In the example below, the sign-in dialog asks for the username in the format of someone@example.com:
Here is the failed attempt to sign-in with the email address:
Here is the second successful attempt where the user is required to change the email address to their Office 365 login:
Office 365 End-User Impact: The initial dialog asks the user for a username in the format of someone@example.com which might be mistaken for the email address. Users must be educated to recognize when to use their Office 365 login or their Office 365 email address.
Exchange ActiveSync (EAS)
For mobile devices using native mail applications to connect to EXO via EAS, the auto-configure wizard normally completes when users specify their email address and password. Since the UPN is different from the email address, there would be an additional wizard screen which would ask for both the email address and the UPN or Username for EXO (see screenshots below):
Office 365 End-User Impact: For EAS configuration, the wizard screen on the right above requires the user to provide both their Office 365 email address and login. Users must be educated to recognize when to use their Office 365 login or their Office 365 email address. Typically, this is only required when on-boarding a new user or when the EAS profile is recreated due to lost device, upgrade/swap-out of mobile device.
Mobile Office Applications
Office applications such as Outlook, Word, Excel, OneDrive, Skype for Business, PowerPoint, etc. are available as mobile applications. You must sign-in to these applications to access data in the Microsoft cloud.
In the example below, the sign-in dialog asks the user for their email address by default:
Here is the failed attempt to sign-in with the email address:
Here is the second successful attempt where the user is required to change the email address to their Office 365 login:
Office 365 End-User Impact: The initial dialog asks for the user’s email address to sign-in to Office mobile applications. Users must be educated to recognize when to use their Office 365 login or their Office 365 email address. This becomes an on-going issue as these mobile applications authenticate via web services are more susceptible to time outs than their desktop counterparts.
Summary
Hopefully this helps shed more light on the challenges end-users might face when the Office 365 email address (primary SMTP address) doesn’t match the Office 365 login (UPN). The major areas of concern from the findings of this article summarized below:
- Office subscription-based activation
- Requires the end-user “knows” they should provide their UPN rather than their email address to authenticate
- Skype for Business
- Default SIP address is the UPN in Office 365 (this can be changed manually)
- Requires the end-user “knows” they should provide the UPN to authenticate
- Office 365 web portal
- Requires the end-user “knows” they should provide their UPN rather than their email address to authenticate
- Exchange ActiveSync (EAS)
- Automatic configuration of EAS profile requires input on a second screen
- Requires the end-user “knows” they should provide their UPN rather than their email address to authenticate
- Office mobile applications
- Requires the end-user “knows” they should provide their UPN rather than their email address to authenticate
If you have any questions about this article or would like to discuss other options such as Office 365 Alternate ID, please feel free to contact me here.
Get Cloud Savvy 