Azure Active Directory

Azure Active Directory Gets SMS-based Authentication and Email Address Sign-In

Microsoft provides several different ways for users to log in to Azure AD without a username and password. For example, users can sign-in using the Microsoft Authenticator app or a FIDO2 security key. Azure Active Directory (Azure AD) is the identity management platform used by Office 365, Microsoft 365, and of course Azure. Organizations can also use Azure AD as the identity provider for their own cloud-based applications.

Azure AD SMS-based authentication

Now in preview, Azure AD SMS-based authentication lets users sign in using their registered mobile phone number. Users receive a text message that they use to confirm their identity. Before you can use SMS-based authentication, all users enabled in an SMS-message authentication policy must be assigned one of the following licenses:

  • Azure AD Premium P1 or P2
  • Microsoft 365 (M365) F1 or F3
  • Enterprise Mobility + Security (EMS) E3 or E5 or Microsoft 365 (M365) E3 or E5

And while SMS-based authentication is in preview, it can’t be used with multifactor authentication (MFA) or native Office apps except Teams. Text message sign-in isn’t enabled by default in Azure AD. You can enable it under Authentications methods in the Security section of Azure AD management.

Image # Expand
Azure Active Directory Gets SMS-based Authentication and Email Address Sign-In Preview (Image Credit: Russell Smith)


Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Users can either register their mobile phone number in the My Sign-Ins page of their account profile. Alternatively, Azure AD global admins, authentication admins, and privileged authentication admins can assign a phone number in the Azure portal to each user.

Once SMS-based authentication is enabled and users have a mobile phone number registered in Azure, they can enter their phone number in the Sign in dialog instead of their username. All the user then needs to do is wait for the SMS code to arrive and enter it to confirm their identity.

Image # Expand
Azure Active Directory Gets SMS-based Authentication and Email Address Sign-In Preview (Image Credit: Microsoft)

Azure AD alternate email address sign-in

Also in preview, Microsoft now lets users sign in to Azure AD with an alternate email address. The idea is to help organizations move to hybrid authentication, which lets employees access both cloud and on-premises resources with a common user identity. Hybrid authentication is commonly achieved by synchronizing password hashes from Windows Server Active Directory to Azure AD using Azure AD Connect.

Image # Expand
Azure Active Directory Gets SMS-based Authentication and Email Address Sign-In Preview (Image Credit: Microsoft)


But because there might be a mismatch between the User Principal Name (UPN) configured in Azure AD and Windows Server Active Directory, users might still need to use different identities to log in to cloud apps and on-premises AD. UPN is a user’s login name in an email address format. And in some cases, businesses don’t want to use their Windows Server AD UPN to sign in to Azure AD for compliance reasons.

When signing in with an alternate email address is enabled in Azure AD, the email address configured in the ProxyAddress attribute in Windows Server AD can be used to log in to cloud apps. The only requirement is that the email address domain specified in the ProxyAddress attribute is verified in Azure AD.

Alternate email address login is set in the Azure AD HomeRealmDiscoveryPolicy. Creating or modifying an existing policy can be done using PowerShell. For instructions on how to enable alternate email login in Azure AD, check out Microsoft’s website here.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: