This is a simple thing I get asked about from time to time. Frequently, there is a requirement for users to be able to login to the Forefront Identity Manager (FIM) portal with an email address that does not have the same domain as the AD domain the portal is authenticating to.

The implementation of this is so simple, just create an attribute flow from the EmailAddress to the userPrincipalName. That should do it.