Home realm discovery during sign-in for Microsoft 365 services
Posted on Wednesday, April 10, 2019
We are changing our Azure Active Directory (Azure AD) sign-in page behavior to make room for new authentication methods and improve usability. During sign-in, Azure AD determines where a user needs to authenticate. Azure AD makes intelligent decisions by reading organization and user settings for the username entered on the sign-in page. This is a step towards a password-free future that enables additional credentials like FIDO 2.0. This change is initially targeted for managed domains and begins rolling out in May 2019, but won't start rolling out to federated domains by the end of 2019. The exact roll-out dates for federated domains depends on customer feedback.
In traditional home realm discovery, an Azure Active Directory user could mistype their username but would still arrive at their organization's credential collection screen. This occurs when the user correctly provides the organization's domain name. This behavior does not allow the granularity to customize experiences for an individual user. In the new Azure AD sign-in behavior, Azure Active Directory will check to see if the username that is entered on the sign-in page exists in their specified domain or redirects the user to provide their credentials.
In addition to the improved sign-in user experience, this change includes mechanisms that can help mitigate the abuse of large-scale username enumeration, and smarter and more relevant error messages. For more details on the features, see Home realm discovery for Azure Active directory sign-in pages.
If you or your organization have practices that depend on the old behavior, it is important to update employee sign-in and authentication documentation and to train employees to use their Azure Active Directory username to sign in.