Inconvenient duplicate accounts in People Picker with multiple Claims Providers

More and more customers are integrating their SharePoint on-premises environment with Azure Active Directory. The solution AzureCP is used to accomplish this quite easily. The solution installs a custom claims provider and you can configure some using the settings interface that is available in Central Administration. There is a good installation article how to set it all up.

Web Application Authentication Providers

When you enable the Trusted Identity Provider on the web application for Azure AD together with Windows Authentication (which is required for Search Crawling account on the Default zone), you will  see the following:

Configuring your authentication provider

Notice that the sign in page URL is also set to a custom one. This will kick off the Microsoft Sign-In page for Azure AD:

SignIn

People Picker

Above configuration will have its effect on the PeoplePicker. Your account may appear multiple times. Especially when you have Azure AD Connect in place.

PeoplePicker

One appearance is from local Windows Active Directory and the other is from Azure Active Directory. This is very inconvenient for your end users. They can easily choose the wrong one.

Hiding a Claims Provider

It is possible to hide a claims provider. Not disabling it, but just making it invisible from the People Picker. This can be done with PowerShell:

$cpm = Get-SPClaimsProviderManager
$cp = Get-SPClaimsProvider -Identity "AD"
$cp.IsVisible = $false
$cpm.Update()

This makes the Windows Authentication provider (local Active Directory) invisible for your farm and the user accounts from local AD will not be shown in the People Picker.

Good luck!

Share

Leave a Reply

Your email address will not be published. Required fields are marked *