Home realm discovery during sign-in for Microsoft 365 services
Posted on 10 April 2019
We are changing our Azure Active Directory (Azure AD) sign-in page behaviour to make room for new authentication methods and improve usability. During sign-in, Azure AD determines where a user needs to authenticate. Azure AD makes intelligent decisions by reading organisation and user settings for the username entered on the sign-in page. This is a step towards a password-free future that enables additional credentials such as FIDO 2.0. This change will be aimed at managed domains initially and will be rolled out in May 2019, but won’t be rolled out to federated domains until the end of 2019. The exact roll-out dates for federated domains depends on customer feedback.
In traditional home realm discovery, an Azure Active Directory user could mistype their username but would still arrive at their organisation’s credential collection screen. This occurs when the user correctly provides the organisation’s domain name. This behaviour does not provide the granularity to customise experiences for an individual user. In the new Azure AD sign-in behaviour, Azure Active Directory will check to see whether the username that has been entered on the sign-in page exists in their specified domain or redirects the user to provide their credentials.
In addition to the improved sign-in user experience, this change includes mechanisms that can help mitigate the abuse of large-scale username enumeration, and smarter and more relevant error messages. For more details on the features, see Home realm discovery for Azure Active directory sign-in pages.
If you or your organisation have practices that depend on the old behaviour, it is important to update employee sign-in and authentication documentation and to train employees to use their Azure Active Directory username to sign in.