Planning and Troubleshooting Azure User Principal Name (UPN) Changes - Microsoft Entra (2023)

  • Article

The User Principal Name (UPN) attribute is an Internet communication standard for user accounts. A UPN consists of a prefix (user account name) and a suffix (DNS domain name). The prefix is ​​combined with the suffix using the "@" symbol. For example Verify that the UPN is unique among the principal objects in the library forest.


This article assumes that the UPN is the user ID. This applies to planning UPN changes and recovering from problems that may arise as a result of the changes. We recommend that developers use the user object ID as an immutable ID instead of a UPN or email address.

UPN and their changes

Login pages often ask users to enter an email address when the value is their UPN. Therefore, you should change a user's UPN when their primary email address changes. A user's primary email address can be changed:

  • Rebranding
  • The employee moves to another department
  • Mergers and acquisitions
  • Changing the employee's name

Types of UPN Changes

Change prefix, suffix or both.

  • Change the prefix:
    • becomes
    • becomes
  • Change of suffix:
    • becomes or
    • becomes

We recommend changing a user's UPN when their primary email address changes. During the initial synchronization from Active Directory to Azure AD, verify that users' email addresses match their UPNs.

UPN-ovi til Active Directory

In Active Directory, the default UPN suffix is ​​the DNS name of the domain where the user account was created. In most cases, you register this domain name as a business domain. If you create a user account in the domain, the default UPN is: However, you can add multiple UPN suffixes using Active Directory domains and trusts. Find more:Add a custom domain name using the Azure portal.

If you e.g. adds and changes the user's UPN and email address to reflect that, the result will be:


If you change the suffix in Active Directory, add and verify the corresponding custom domain name in Azure AD.Add a custom domain name using the Azure Active Directory portal

Planning and Troubleshooting Azure User Principal Name (UPN) Changes - Microsoft Entra (1)

Nazwy UPN med Azure Active Directory

Users sign in to Azure AD using the value of the userPrincipalName attribute.

When you use Azure AD with Active Directory in the on-premises environment, user accounts are synchronized using Azure AD Connect. The Azure AD Connect wizard uses the userPrincipalName attribute from the on-premises Active Directory as the UPN in Azure AD. You can change it to another attribute in a custom installation.


Define the procedure for updating the user name (UPN) for a user or organization.

When synchronizing user accounts from Active Directory to Azure AD, ensure that UPNs in Active Directory are mapped to validated domains in Azure AD.

Planning and Troubleshooting Azure User Principal Name (UPN) Changes - Microsoft Entra (2)

If the value of the userPrincipalName attribute does not match a validated domain in Azure AD, sync replaces the suffix.

Mass deployment of UPN changes

Use our best practices to test bulk UPN changes. Have a tested recovery plan for recovering UPNs if problems cannot be resolved. After piloting, target small groups of users with organizational roles and sets of applications or devices. This process helps to understand the user experience. Include this information in your communications with stakeholders and users.

Find out more:Azure Active Directory-implementeringsplaner

Create a UPN change routine for each user. We recommend a process that includes documentation of known issues and solutions.

Read the sections below for known issues and solutions when changing your UPN.

Known application issues and workarounds

Software as a Service (SaaS) and Line of Business (LoB) applications often rely on UPNs to locate users and store user profile information, including roles. Applications that may be affected by UPN changes use just-in-time (JIT) provisioning to create a user profile when users log on to the application for the first time.

Find out more:

  • What is SaaS?
  • What is Application Provisioning in Azure Active Directory?

Known issues

Changing a user's UPN can break the relationship between the Azure AD user and the user profile in the application. If the application uses JIT sharing, it can create a new user profile. The application administrator then manually modifies to correct the relationship.


Use automated application provisioning with Azure AD to create, maintain, and delete user identities in supported cloud applications. Configure automatic user assignment in your applications to update UPNs in your applications. Test your applications to see if UPN changes affect them. If you are a developer, consider adding SCIM support to your application to enable automatic user assignment.

Find out more:

  • What is Application Provisioning in Azure Active Directory?
  • Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory

Managed devices - known issues and workarounds

By moving your devices to Azure AD, you increase user productivity with single sign-on (SSO) to cloud and on-premises resources.

Find out more:What is Device Identity?

Azure AD connected devices

Azure AD joined devices are Azure AD joined. Users log into the device with their organization's identity.

Find out more:Azure AD connected devices

Known issues and solutions

Users may experience issues with single sign-on in applications that require Azure AD authentication. This issue is fixed in the Windows 10 May 2020 Update (2004).

Work around

Wait enough time for the UPN change to sync with Azure AD. After confirming that the new UPN appears in the Azure portal, ask the user to select the "Other user" box to sign in with the new UPN. You can check using PowerShell. See,Get-AzureADUser. When users log in with a new UPN, references to the old UPN may appear on the pageAccess to work or schoolWindows settings.

Planning and Troubleshooting Azure User Principal Name (UPN) Changes - Microsoft Entra (3)

Hybrid Azure AD joined devices

Hybrid Azure AD-joined devices are connected to both Active Directory and Azure AD. You can deploy Hybrid Azure AD Join if your environment has an on-premises Active Directory footprint.

Find out more:Hybrid Azure AD joined devices

Known issues and solutions

Windows 10 hybrid Azure AD joined devices may experience unexpected reboots and access issues. If users log on to Windows before the new UPN is synchronized with Azure AD, or if they continue to use Windows sessions, they may experience single sign-on (SSO) issues in applications that use Azure AD for authentication. This situation occurs if conditional access is configured to force connected hybrid devices to access resources.

Additionally, you may receive the following message forcing you to restart after a minute:

Your computer will automatically restart in a minute. Windows has encountered a problem and needs to restart. You must now close this message and save your work.

This issue is fixed in the Windows 10 May 2020 Update (2004).

Work around

  1. Disconnect the device from Azure AD and restart it.
  2. The device joins Azure AD.
  3. The user logs in by selecting an optionAnother userplate.

To disconnect a device from Azure AD, run the following command at the command prompt: dsregcmd /leave


The user is signed back in for Windows Hello for Business, if it is in use.


Windows 7 and 8.1 devices are not affected by this issue.

Mobile Application Management Application Protection Policy

Known issues

Your organization can use mobile application management (MAM) to protect corporate data in applications on users' devices. MAM application security rules are not robust to UPN changes, which can break the connection between MAM registrations and active users in integrated MAM applications. This scenario can leave your data in an unprotected state.

Find out more:

  • Overview of application protection policies
  • Frequently asked questions about MAM and application protection

Work around

IT administrators can delete data from affected devices after changing the UPN. This forces users to re-authenticate and re-register with new UPNs.

Find out more:How to delete only company data from apps managed by Intune

Known issues and workarounds for Microsoft Authenticator

Your organization may require the Microsoft Authenticator app to sign in and access apps and data. Although the username may appear in the application, the account is not a means of verification until the user completes registration.

Find out more:How to use the Microsoft Authenticator app

The Microsoft Authenticator app has four main functions:

  • Multi-factor authenticationwith a push notification or verification code
  • Authentication brokeron iOS and Android devices for SSO for applications that use broker authentication
    • Enable single sign-on for multiple apps on Android with MSAL
  • Device registrationor Workplace Join to Azure AD, which is required for Intune App Protection and Device Enrollment/Management
  • Apply by phone, which requires MFA and device registration

Multi-factor authentication on Android devices

Use the Microsoft Authenticator app for out-of-band verification. Instead of an automatic phone call or SMS to the user upon login, MFA sends a notification to the Microsoft Authenticator app on the user's device. The user choosesconfirmor the user enters a PIN code or biometrics and selectsApprove.

Find out more:How it works: Azure AD multi-factor authentication

Known issues

After changing the user's UPN, the old UPN will appear in the user's account and the message may not be received. Use control codes.

Find out more:Frequently asked questions about the Microsoft Authenticator app

Work around

If a message appears, ask the user to dismiss it, open the Authenticator app, selectCheck notificationsand accept the MFA prompt. UPN for account updates. Note that the updated UPN may appear as a new account. This change is due to other features of the Authenticator app. For more information, see the known issues in this article.

Mediated authentication

For Android and iOS. brokers like Microsoft Authenticator allow you to:

  • SSO- Users do not log in to all applications
  • Device identification- The intermediary gets access to the device certificate created on the device when he accesses the workplace
  • Application identification check- When the application calls the broker, it sends the redirect URL and the broker checks it

In addition, applications may participate in other functions:

  • Azure AD conditional access documentation
  • Brug Microsoft Authenticator eller Intune Company Portal i Xamarin.

Known issues

Due to the mismatch between the login_hint sent by the application and the UPN stored in the broker, the user experiences more interactive authentication prompts in new applications that use broker-assisted login.

Work around

The user manually removes the account from Microsoft Authenticator and initiates a new login from the middleware. Account is added after the first approval.

Device registration

The Microsoft Authenticator app registers the device with Azure AD, which enables device authentication with Azure AD. This registration is necessary for:

  • Intune app protection
  • Intune device login
  • Registration by phone

Known issues

If you change your UPN, a new account with the new UPN will appear in the Microsoft Authenticator app. The account with the old UPN remains on the list. Additionally, the old UPN appears in the Device Registration section of the app's settings. There are no changes to the device enrollment feature or dependent scenarios.

Work around

To remove references to the old UPN in the Microsoft Authenticator app, the user removes the old and new accounts from Microsoft Authenticator, re-enrolls in MFA, and reconnects to the device.

Registration by phone

User logon by phone, so users can sign in to Azure AD without a password. To enable this feature, a user enrolls in MFA using the Authenticator app and then enables phone login in the Authenticator app. The device is registered with Azure AD.

Known issues

Users cannot log in via phone because they do not receive notifications. If the user choosesCheck notifications, an error occurs.

Work around

The user selects a drop-down menu on an account with phone login enabled. Then the user choosesDisable phone login. Phone check-in can be reactivated.

Known issues and workarounds for security key (FIDO2).

Known issues

When multiple users are registered with the same key, the login screen displays the account selection where the old UPN is displayed. UPN changes do not affect login with security keys.

Work around

To remove references to old UPNs, users must reset the security key and register again.

Find out more:Enable passwordless login with security key, known issue, UPN changes

OneDrive known issues and solutions

OneDrive users have been known to experience issues after changing their UPN.

Find out more:How UPN changes affect the OneDrive URL and OneDrive features

Team Meeting Notes known problems and solutions

Use meeting notes in Teams to create and share notes.

Known issues

When a user's UPN changes, meeting notes created under the old UPN will no longer be accessible via Microsoft Teams or the meeting notes URL.

Work around

After changing the UPN, users can restore meeting notes by downloading them from OneDrive

  1. GoMy documents.
  2. ChooseDanish Microsoft Teams.
  3. Choosewiki.

This does not affect new meeting notes created after the UPN is changed.

Next step

  • Azure AD Connect: designkoncepter
  • Azure AD UserPrincipalName-population
  • Microsoft identitetsplatform-id-tokens
Top Articles
Latest Posts
Article information

Author: Carmelo Roob

Last Updated: 06/20/2023

Views: 6033

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Carmelo Roob

Birthday: 1995-01-09

Address: Apt. 915 481 Sipes Cliff, New Gonzalobury, CO 80176

Phone: +6773780339780

Job: Sales Executive

Hobby: Gaming, Jogging, Rugby, Video gaming, Handball, Ice skating, Web surfing

Introduction: My name is Carmelo Roob, I am a modern, handsome, delightful, comfortable, attractive, vast, good person who loves writing and wants to share my knowledge and understanding with you.