I am writing this post as I had two customers that wanted to use alternate Login ID in Azure AD together with Intune and SCCM 2012 in a Hybrid deployment using SCCM as the MDM Authority. I found several blogs and a Wiki that described that this wasn’t supported and that unsupported scripting directly to the database in SCCM 2012.
The background to this is that when using SCCM in a Hybrid deployment as the MDM authority you must use a collection in SCCM containing the users that are allowed to enroll their devices. If you are using different UPN in your On-premise AD and Azure AD SCCM would not be able to match the user in Azure AD and therefor you could not enroll any devices.
One workaround was changing the UPN directly in the SCCM database so it matched the UPN used in Azure AD, for example e-mail address if that was used as UPN in Azure AD.
After some investigation those issues are now resolved by Microsoft and there is no changes required on the SCCM side as Intune tries to match the user using UPN and if that doesn’t work it tries the e-mail address and then it is solved basically.
I have successfully delivered two proof-of-concepts where e-mail address was used as UPN in Azure AD instead of the UPN in the On-premise AD and it has worked just great!
Thanks to Kerim and Saud at Microsoft for verifying and support!
One of the Wiki’s that mentioned this: http://social.technet.microsoft.com/wiki/contents/articles/24096.dirsync-using-alternate-login-ids-with-azure-active-directory.aspx is updated by Saud as well so that the information that there are issues with SCCM+Intune in hybrid using alternate Login IDs is removed as well.
- There are still some limitations with Office 365 and alternative login ID
- When using ADFS together with Alternate Login ID in Azure you need to configure ADFS to allow login using e-mail address as well as described here: https://technet.microsoft.com/en-us/library/dn659436.aspx (it will be updated as well to remove the information that Intune and SCCM has issues