Search results
People also ask
What is a userprincipalname in Azure Active Directory?
What is Microsoft Windows Azure Active Directory?
What is userprincipalname (UPN) in Active Directory?
What is an example of a user principal name in Active Directory?
What is Azure Active Directory B2C user profile?
How do I change a user's UPN on Azure AD?
The UserPrincipalName (UPN) serves as an essential user attribute in Active Directory that’s akin to a username and is typically used when logging into various services within a network.
User principal name is a username and domain in email address format within Microsoft AD. See how UPNs work, are used in Azure and how to change them.
- Gavin Wright
- 2 min
- Overview
- UPN terminology
- What is UserPrincipalName?
- UPN in Microsoft Entra ID
- Alternate login ID
- Non-verified UPN Suffix
- Verified UPN suffix
- Microsoft Entra MailNickName attribute value calculation
- UPN scenarios
- Next Steps
This article describes how the UserPrincipalName attribute is populated in Microsoft Entra ID. The UserPrincipalName attribute value is the Microsoft Entra username for the user accounts.
The following terminology is used in this article:
UPN format
A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). The prefix is joined with the suffix using the "@" symbol. For example, "someone@example.com". A UPN must be unique among all security principal objects within a directory forest.
The UPN is used by Microsoft Entra ID to allow users to sign-in. The UPN that a user can use, depends on whether or not the domain has been verified. If the domain has been verified, then a user with that suffix will be allowed to sign-in to Microsoft Entra ID.
The attribute is synchronized by Microsoft Entra Connect. During installation, you can view the domains that have been verified and the ones that have not.
In some environments, end users may only be aware of their email address and not their UPN. The use of email address may be due to a corporate policy or an on-premises line-of-business application dependency.
Alternate login ID allows you to configure a sign-in experience where users can sign-in with an attribute other than their UPN, such as mail.
To enable Alternate login ID with Microsoft Entra ID, no additional configurations steps are needed when using Microsoft Entra Connect. Alternate ID can be configured directly from the wizard. See Microsoft Entra sign-in configuration for your users under the section Sync. Under the User Principal Name drop-down, select the attribute for Alternate login ID.
For more information, see Configure Alternate login ID and Microsoft Entra sign-in configuration
If the on-premises UserPrincipalName attribute/Alternate login ID suffix is not verified with Microsoft Entra tenant, then the Microsoft Entra UserPrincipalName attribute value is set to MOERA. Microsoft Entra ID calculates the MOERA from the Microsoft Entra MailNickName attribute and Microsoft Entra initial domain as @
If the on-premises UserPrincipalName attribute/Alternate login ID suffix is verified with the Microsoft Entra tenant, then the Microsoft Entra UserPrincipalName attribute value is going to be the same as the on-premises UserPrincipalName attribute/Alternate login ID value.
Because the Microsoft Entra UserPrincipalName attribute value could be set to MOERA, it is important to understand how the Microsoft Entra MailNickName attribute value, which is the MOERA prefix, is calculated.
When a user object is synchronized to a Microsoft Entra tenant for the first time, Microsoft Entra ID checks the following items in the given order and sets the MailNickName attribute value to the first existing one:
•On-premises mailNickName attribute
•Prefix of primary SMTP address
•Prefix of on-premises mail attribute
•Prefix of on-premises userPrincipalName attribute/Alternate login ID
Scenario 1: Non-verified UPN suffix – initial synchronization
On-Premises user object: •mailNickName: •proxyAddresses: {SMTP:us1@contoso.com} •mail: us2@contoso.com •userPrincipalName: us3@contoso.com Synchronized the user object to Microsoft Entra tenant for the first time •Set Microsoft Entra MailNickName attribute to primary SMTP address prefix. •Set MOERA to @ . •Set Microsoft Entra UserPrincipalName attribute to MOERA. Microsoft Entra tenant user object: •MailNickName : us1 •UserPrincipalName: us1@contoso.onmicrosoft.com
Scenario 2: Non-verified UPN suffix – set on-premises mailNickName attribute
On-Premises user object: •mailNickName: us4 •proxyAddresses: {SMTP:us1@contoso.com} •mail: us2@contoso.com •userPrincipalName: us3@contoso.com Synchronize update on on-premises mailNickName attribute to Microsoft Entra tenant •Update Microsoft Entra MailNickName attribute with on-premises mailNickName attribute. •Because there is no update to the on-premises userPrincipalName attribute, there is no change to the Microsoft Entra UserPrincipalName attribute. Microsoft Entra tenant user object: •MailNickName: us4 •UserPrincipalName: us1@contoso.onmicrosoft.com
Scenario 3: Non-verified UPN suffix – update on-premises userPrincipalName attribute
On-Premises user object: •mailNickName: us4 •proxyAddresses: {SMTP:us1@contoso.com} •mail: us2@contoso.com •userPrincipalName: us5@contoso.com Synchronize update on on-premises userPrincipalName attribute to Microsoft Entra tenant •Update on on-premises userPrincipalName attribute triggers recalculation of MOERA and Microsoft Entra UserPrincipalName attribute. •Set MOERA to @ . •Set Microsoft Entra UserPrincipalName attribute to MOERA. Microsoft Entra tenant user object: •MailNickName: us4 •UserPrincipalName: us4@contoso.onmicrosoft.com
•Integrate your on-premises directories with Microsoft Entra ID
•Custom installation of Microsoft Entra Connect
Jan 11, 2024 · Your Azure Active Directory B2C (Azure AD B2C) directory user profile comes with a set of built-in attributes, such as given name, surname, city, postal code, and phone number. You can extend the user profile with your own application data without requiring an external data store.
Mar 11, 2024 · In this article, we’ll look at what UPN (UserPrincipalName) suffixes in Active Directory are, how to add alternative suffixes in an AD forest and change UPN suffixes of Active Directory users with the ADUC console and PowerShell.
The userPrincipalName and sAMAccountName attributes can log users into computers in the AD domain. The samAccountName attribute was used in the pre-Windows 2000 environment and defined the user name to authorize users on the domain or standalone workstations.
Apr 19, 2016 · Domain is the UPN suffix. The Name is the display name and may not change unless you specify the rules when migrating AD users from one domain to another. NameIdentifier is the unique "SAML name identifier of the user".
