Login with the email address (alternate login ID) renames Moodle user

[lukaslangkissC02]

We have enabled the Microsoft Entra-ID feature to allow users to sign-in with an email address. (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin#enable-user-sign-in-with-an-email-address)

If we enable the plugin feature "Support Microsoft account UPN change", Moodle users will be renamed when they log in with one of their email addresses, even though the UPN has not changed.

Example
UPN: 12345@domain.com
Alternate email address: firstname.lastname@domain.com

The Moodle user is created by the task "Sync users with Azure AD" (\local_o365\task\usersync) with the username 12345@domain.com and matched to his Microsoft 365 user (OpenID Connect). If the user logs in with firstname.lastname@domain.com, then the Moodle user will be renamed. Therefore, the plugin does not correctly detect the change of UPN.

[weilai-irl]

Hi @lukaslangkissC02

Thank you for reporting the issue.

First of all, I confirm I can recreate the issue in my test.

I did a bit of investigation to see if this is something that is technically feasible to be fixed, and unfortunately it's infeasible. This happens when using "Microsoft Identity Platform (v2.0)" connection method with the "Email as an alternate login ID" Azure configuration enabled. When using v2.0 connection method, the auth_oidc plugin uses the preferred_username claim in token to determine the username of a Microsoft user. In my test, when the "Email as an alternate login ID" configuration is enabled and the Microsoft user logs in using email rather than username, this claim contains the email address. I checked other claims as well and none contains the actual username of the Microsoft account. I also checked if there's any claim that can tell whether the login is using email or username, and I didn't find any.

By contrast, when using "Azure AD (v1.0)" connection method, the auth_oidc plugin uses the upn claim to as the preferred source of Microsoft account username, and it always contains the actual username of the account, regardless whether the user logs in using username or email address.

So to conclude, there is nothing that can be done in the auth_oidc plugin to prevent auth_oidc renaming Moodle user if:

1. "Microsoft Identity Platform (v2.0)" is configured as connection method, and
2. "Email as an alternate login ID" configuration in Azure is turned on, and
3. "Support Microsoft account UPN change" configuration in Moodle is enabled, and
4. The Microsoft user logs in using email address rather than username.

The best I can do is to include a note to the documentation of the plugins in the section about "Support Microsoft account UPN change" configuration to highlight the potential risk.

If you have other ideas, please let me know. Otherwise the issue will be closed in the next few days.

Regards,
Lai

[weilai-irl]

Hi again @lukaslangkissC02

Slight change of plan - the documentation change will be made within the local_o365 plugin, in the description of the "Support Microsoft account UPN change" settings. This will be included in the next release.

Regards,
Lai

[weilai-irl]

Hi all,

The proposed changes in configuration settings have been included in the releases from today.

• Release 4.1.4 for Moodle 4.1.
• Release 4.2.3 for Moodle 4.2.
• Release 4.3.1 for Moodle 4.3.

Thank you very much for reporting the issue.

Regards,
Lai