The User Principal Name (UPN) attribute is an Internet communication standard for user accounts. A UPN consists of a prefix (user account name) and a suffix (DNS domain name). The prefix is combined with the suffix using the "@" symbol. For example firstname.lastname@example.org. Verify that the UPN is unique among the principal objects in the library forest.
This article assumes that the UPN is the user ID. This applies to planning UPN changes and recovering from problems that may arise as a result of the changes. We recommend that developers use the user object ID as an immutable ID instead of a UPN or email address.
UPN and their changes
Login pages often ask users to enter an email address when the value is their UPN. Therefore, you should change a user's UPN when their primary email address changes. A user's primary email address can be changed:
- The employee moves to another department
- Mergers and acquisitions
- Changing the employee's name
Types of UPN Changes
Change prefix, suffix or both.
- Change the prefix:
- BSImon@contoso.com becomes BJohnson@contoso.com
- Bsimon@contoso.com becomes Britta.Simon@contoso.com
- Change of suffix:
- Britta.Simon@contoso.com becomes Britta.Simon@contosolabs.com or
- Britta.Simon@corp.contoso.com becomes Britta.Simon@labs.contoso.com
We recommend changing a user's UPN when their primary email address changes. During the initial synchronization from Active Directory to Azure AD, verify that users' email addresses match their UPNs.
UPN-ovi til Active Directory
In Active Directory, the default UPN suffix is the DNS name of the domain where the user account was created. In most cases, you register this domain name as a business domain. If you create a user account in the contoso.com domain, the default UPN is: email@example.com. However, you can add multiple UPN suffixes using Active Directory domains and trusts. Find more:Add a custom domain name using the Azure portal.
If you e.g. adds labs.contoso.com and changes the user's UPN and email address to reflect that, the result will be: firstname.lastname@example.org.
If you change the suffix in Active Directory, add and verify the corresponding custom domain name in Azure AD.Add a custom domain name using the Azure Active Directory portal
Nazwy UPN med Azure Active Directory
Users sign in to Azure AD using the value of the userPrincipalName attribute.
When you use Azure AD with Active Directory in the on-premises environment, user accounts are synchronized using Azure AD Connect. The Azure AD Connect wizard uses the userPrincipalName attribute from the on-premises Active Directory as the UPN in Azure AD. You can change it to another attribute in a custom installation.
Define the procedure for updating the user name (UPN) for a user or organization.
When synchronizing user accounts from Active Directory to Azure AD, ensure that UPNs in Active Directory are mapped to validated domains in Azure AD.
If the value of the userPrincipalName attribute does not match a validated domain in Azure AD, sync replaces the .onmicrosoft.com suffix.
Mass deployment of UPN changes
Use our best practices to test bulk UPN changes. Have a tested recovery plan for recovering UPNs if problems cannot be resolved. After piloting, target small groups of users with organizational roles and sets of applications or devices. This process helps to understand the user experience. Include this information in your communications with stakeholders and users.
Find out more:Azure Active Directory-implementeringsplaner
Create a UPN change routine for each user. We recommend a process that includes documentation of known issues and solutions.
Read the sections below for known issues and solutions when changing your UPN.
Known application issues and workarounds
Software as a Service (SaaS) and Line of Business (LoB) applications often rely on UPNs to locate users and store user profile information, including roles. Applications that may be affected by UPN changes use just-in-time (JIT) provisioning to create a user profile when users log on to the application for the first time.
Find out more:
- What is SaaS?
- What is Application Provisioning in Azure Active Directory?
Changing a user's UPN can break the relationship between the Azure AD user and the user profile in the application. If the application uses JIT sharing, it can create a new user profile. The application administrator then manually modifies to correct the relationship.
Use automated application provisioning with Azure AD to create, maintain, and delete user identities in supported cloud applications. Configure automatic user assignment in your applications to update UPNs in your applications. Test your applications to see if UPN changes affect them. If you are a developer, consider adding SCIM support to your application to enable automatic user assignment.
Find out more:
- What is Application Provisioning in Azure Active Directory?
- Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory
Managed devices - known issues and workarounds
By moving your devices to Azure AD, you increase user productivity with single sign-on (SSO) to cloud and on-premises resources.
Find out more:What is Device Identity?
Azure AD connected devices
Azure AD joined devices are Azure AD joined. Users log into the device with their organization's identity.
Find out more:Azure AD connected devices
Known issues and solutions
Users may experience issues with single sign-on in applications that require Azure AD authentication. This issue is fixed in the Windows 10 May 2020 Update (2004).
Wait enough time for the UPN change to sync with Azure AD. After confirming that the new UPN appears in the Azure portal, ask the user to select the "Other user" box to sign in with the new UPN. You can check using PowerShell. See,Get-AzureADUser. When users log in with a new UPN, references to the old UPN may appear on the pageAccess to work or schoolWindows settings.
Hybrid Azure AD joined devices
Hybrid Azure AD-joined devices are connected to both Active Directory and Azure AD. You can deploy Hybrid Azure AD Join if your environment has an on-premises Active Directory footprint.
Find out more:Hybrid Azure AD joined devices
Known issues and solutions
Windows 10 hybrid Azure AD joined devices may experience unexpected reboots and access issues. If users log on to Windows before the new UPN is synchronized with Azure AD, or if they continue to use Windows sessions, they may experience single sign-on (SSO) issues in applications that use Azure AD for authentication. This situation occurs if conditional access is configured to force connected hybrid devices to access resources.
Additionally, you may receive the following message forcing you to restart after a minute:
Your computer will automatically restart in a minute. Windows has encountered a problem and needs to restart. You must now close this message and save your work.
This issue is fixed in the Windows 10 May 2020 Update (2004).
- Disconnect the device from Azure AD and restart it.
- The device joins Azure AD.
- The user logs in by selecting an optionAnother userplate.
To disconnect a device from Azure AD, run the following command at the command prompt: dsregcmd /leave
The user is signed back in for Windows Hello for Business, if it is in use.
Windows 7 and 8.1 devices are not affected by this issue.
Mobile Application Management Application Protection Policy
Your organization can use mobile application management (MAM) to protect corporate data in applications on users' devices. MAM application security rules are not robust to UPN changes, which can break the connection between MAM registrations and active users in integrated MAM applications. This scenario can leave your data in an unprotected state.
Find out more:
- Overview of application protection policies
- Frequently asked questions about MAM and application protection
IT administrators can delete data from affected devices after changing the UPN. This forces users to re-authenticate and re-register with new UPNs.
Find out more:How to delete only company data from apps managed by Intune
Known issues and workarounds for Microsoft Authenticator
Your organization may require the Microsoft Authenticator app to sign in and access apps and data. Although the username may appear in the application, the account is not a means of verification until the user completes registration.
Find out more:How to use the Microsoft Authenticator app
The Microsoft Authenticator app has four main functions:
- Multi-factor authenticationwith a push notification or verification code
- Authentication brokeron iOS and Android devices for SSO for applications that use broker authentication
- Enable single sign-on for multiple apps on Android with MSAL
- Device registrationor Workplace Join to Azure AD, which is required for Intune App Protection and Device Enrollment/Management
- Apply by phone, which requires MFA and device registration
Multi-factor authentication on Android devices
Use the Microsoft Authenticator app for out-of-band verification. Instead of an automatic phone call or SMS to the user upon login, MFA sends a notification to the Microsoft Authenticator app on the user's device. The user choosesconfirmor the user enters a PIN code or biometrics and selectsApprove.
Find out more:How it works: Azure AD multi-factor authentication
After changing the user's UPN, the old UPN will appear in the user's account and the message may not be received. Use control codes.
Find out more:Frequently asked questions about the Microsoft Authenticator app
If a message appears, ask the user to dismiss it, open the Authenticator app, selectCheck notificationsand accept the MFA prompt. UPN for account updates. Note that the updated UPN may appear as a new account. This change is due to other features of the Authenticator app. For more information, see the known issues in this article.
For Android and iOS. brokers like Microsoft Authenticator allow you to:
- SSO- Users do not log in to all applications
- Device identification- The intermediary gets access to the device certificate created on the device when he accesses the workplace
- Application identification check- When the application calls the broker, it sends the redirect URL and the broker checks it
In addition, applications may participate in other functions:
- Azure AD conditional access documentation
- Brug Microsoft Authenticator eller Intune Company Portal i Xamarin.
Due to the mismatch between the login_hint sent by the application and the UPN stored in the broker, the user experiences more interactive authentication prompts in new applications that use broker-assisted login.
The user manually removes the account from Microsoft Authenticator and initiates a new login from the middleware. Account is added after the first approval.
The Microsoft Authenticator app registers the device with Azure AD, which enables device authentication with Azure AD. This registration is necessary for:
- Intune app protection
- Intune device login
- Registration by phone
If you change your UPN, a new account with the new UPN will appear in the Microsoft Authenticator app. The account with the old UPN remains on the list. Additionally, the old UPN appears in the Device Registration section of the app's settings. There are no changes to the device enrollment feature or dependent scenarios.
To remove references to the old UPN in the Microsoft Authenticator app, the user removes the old and new accounts from Microsoft Authenticator, re-enrolls in MFA, and reconnects to the device.
Registration by phone
User logon by phone, so users can sign in to Azure AD without a password. To enable this feature, a user enrolls in MFA using the Authenticator app and then enables phone login in the Authenticator app. The device is registered with Azure AD.
Users cannot log in via phone because they do not receive notifications. If the user choosesCheck notifications, an error occurs.
The user selects a drop-down menu on an account with phone login enabled. Then the user choosesDisable phone login. Phone check-in can be reactivated.
Known issues and workarounds for security key (FIDO2).
When multiple users are registered with the same key, the login screen displays the account selection where the old UPN is displayed. UPN changes do not affect login with security keys.
To remove references to old UPNs, users must reset the security key and register again.
Find out more:Enable passwordless login with security key, known issue, UPN changes
OneDrive known issues and solutions
OneDrive users have been known to experience issues after changing their UPN.
Find out more:How UPN changes affect the OneDrive URL and OneDrive features
Team Meeting Notes known problems and solutions
Use meeting notes in Teams to create and share notes.
When a user's UPN changes, meeting notes created under the old UPN will no longer be accessible via Microsoft Teams or the meeting notes URL.
After changing the UPN, users can restore meeting notes by downloading them from OneDrive
- GoMy documents.
- ChooseDanish Microsoft Teams.
This does not affect new meeting notes created after the UPN is changed.
- Azure AD Connect: designkoncepter
- Azure AD UserPrincipalName-population
- Microsoft identitetsplatform-id-tokens