Home realm discovery during sign-in for Microsoft 365 services
Posted on 10 April 2019
We are changing our Azure Active Directory (Azure AD) sign-in page behaviour to make room for new authentication methods and improve usability. During sign-in, Azure AD determines where a user needs to authenticate. Azure AD makes intelligent decisions by reading organisation and user settings for the username entered on the sign-in page. This is a step towards a password-free future that enables additional credentials like FIDO 2.0. This change is initially targeted for managed domains and begins rolling out in May 2019 but will not start rolling out to federated domains by the end of 2019. The exact roll-out dates for federated domains depends on customer feedback.
In traditional home realm discovery, an Azure Active Directory user could mistype their username but would still arrive at their organisation's credential collection screen. This occurs when the user correctly provides the organisation's domain name. This behaviour does not allow the granularity to customise experiences for an individual user. In the new Azure AD sign-in behaviour, Azure Active Directory will check to see if the username that is entered on the sign-in page exists in their specified domain or redirects the user to provide their credentials.
In addition to the improved sign-in user experience, this change includes mechanisms that can help mitigate the abuse of large-scale username enumeration and smarter and more relevant error messages. For more details on the features, see Home realm discovery for Azure Active directory sign-in pages.
If you or your organisation have practices that depend on the old behaviour, it is important to update employee sign-in and authentication documentation and to train employees to use their Azure Active Directory username to sign in.