I'm currently planning a tenant-wide domain change in Microsoft Entra ID (Azure AD) as part of our company rebranding. We're keeping the old domain as an alias, but on launch day, we need all users to start logging in with the new domain (@newcompany.com). We're running into a bit of a bind since many of our third-party applications require the primary email to match exactly and don't support email alias logins. This means that we'll have to manually update login emails across each app one by one after the switch, and that sounds like a logistical nightmare, especially for our small team with limited resources. We're eager to avoid any user lockouts or other major login issues during the cutover. If anyone has experience with a similar rebrand and identity switch, or knows of any best practices or clever workarounds, I'd really appreciate your advice!
1 Answer
You shouldn't be using email or UPN as the primary identifier for OIDC SSO. Instead, utilize the OID claim, which won't change. For SAML, identify the apps causing issues and implement a regex replace to swap the domains on any problematic claims. This way, you can ensure compatibility without needing to update everything immediately.
Thanks for the input! Do you mind if I follow up with some questions later?