Logging into Azure Active Directory without a Domain Name

Question

We're looking to use Azure Active Directory as our user store for an external-facing application. Currently, our MVC/C# 4.5 app (using WIF) is authenticating against an on-premise ADFS 2.0 proxy/server via passive federation and we'd like to "port" this up to Azure. The way we're going about this, we're having ACS sit between AAD and our application such that ACS is replacing ADFS and AAD is replacing Active Directory (on prem).

From a technical standpoint, we have this working. However, we have a major problem in that users must login with not just their username but also the domain name. It's unreasonable (and simply a deal-breaker) to force a fictitious email address on our users as their username.

Is there some way to set this up such that the user need not type in a domain name? In our case, we have only one Identifying Party behind ACS: the one AAD directory. So we always know in advance what the domain name should be.

Thanks in advance!

Answer 1

Are you wanting users to authenticate against Windows Azure AD using only their username (e.g. "mcollier") and not their full account name (e.g. "mcollier@mytenant.onmicrosoft.com)? If so, I do not believe that is currently possible.

If I'm understanding correctly, the app is using ACS as a federation provider to Windows Azure AD. And only Windows Azure AD, correct? If only using one identity provider, what benefit is ACS providing in this scenario?

Is the goal to have the same users in Windows Azure AD as on-premises Windows Server AD? If so, leveraging the new DirSync w/ password hash sync enabled should do the trick.

Answer 2

I could suggest one work around for that. You could display a screen for them to type username only. Once you get the username, you can send username@mytenant.onmicrosoft.com with login_hint parameter in the authorization url. It will fill in the username, so they will only type username without email part.