25,180 questions
Non matching UPN and Samaccount
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 41%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Mahesh Aralelemath
386
Reputation points
Hi,
In our environment
- on-prem AD UPN is not in a structured, routable format.
- email address is mapped to UPN while syncing on-prem Accounts to M365 using AADConnect.
- Tenant is configured as federated and uses ADFS for authentication.
Now with email address used as UPN to login to M365 and broken UPN at on-prem is causing issues in SSO experience.
We are working out to correct the UPN to match with email address so that both are same.
Also ADFS is planned to migrate to PTA.
Now the question is,
- Can we have Samaccount differently (Ex: Name)
- Email address and UPN to same ( Ex: firstname.lastname@domainname)
With this be accepted scenario from SSO point of view and all authentication?
Are there any issues in such scenario ?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
James Hamil 27,221 Reputation points Microsoft Employee Moderator2021-01-22T22:21:07.953+00:00 Hi @Mahesh Aralelemath , this article does a good job breaking down UPN and Samaccount information that I think could help you. This document shows why you should match your UPN to your primary SMTP. I would recommend taking these routes, as I believe your method may cause issues in the future. Is this an option for you? I just want to make sure you avoid any problems this may cause later on.
Best,
James -
Mahesh Aralelemath 386 Reputation points
2021-01-23T18:13:05.497+00:00 Hi James,
Thanks for your response and reference articles.
Yes we are in process of matching UPN to Primary SMTP address even though email address is mapped to UPN in Azure AD (alternate id).Now, my question is about SAMAccount. Is it mandatory to match SamAccount also to UPN/Email - may be prefix part only.
If Yes, how feasible it is...because, SAMAccount still has the limitation of 20 Chars?
Are there any reference docs from Microsoft about all these 3 - SAM, UPN and Email Address ?
Regards
Mahesh -
James Hamil 27,221 Reputation points Microsoft Employee Moderator
2021-01-26T00:49:00.39+00:00 Hi,
It's almost so recommended to match I would have to say it's mandatory. It's good to match so you don't have users who need to remember different log-in credentials. Microsoft does have reference docs for those areas but there are multiple different examples, more so for UPN and email, so I recommend just searching for what you need specifically. SamAccount is harder to find so I would stick to third party documents like the ones I posted. If you still need help I can escalate this and try to get you a better solution.
Best,
James
-
Mahesh Aralelemath 386 Reputation points
2021-01-26T07:51:41.593+00:00 Hi James,
I would request your support if this can be escalated to get better references.
- Best practices around SamAccount, UPN and e-mail address.
- What is the impact if all 3 are not matching with different combinations like SamAccount doesnt match but email and UPN or SamAccount and UPN matches but email id is different.
- Seamless SSO experience with all these and different browser like Edge, IE, Chrome
Regards
Mahesh -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Abhijeet-MSFT 546 Reputation points Microsoft Employee2021-03-04T09:32:06.57+00:00 hi @Mahesh Aralelemath , Though it is recommended to have samaccountname and UPN similar, it is not really a requirement. The only thing i guess we have documented for samaccountname is at https://learn.microsoft.com/en-us/azure/active-directory/hybrid/concept-azure-ad-connect-sync-default-configuration#out-of-box-rules-from-on-premises-to-azure-ad. For ad connect to sync an account, samaccountname needs to be there..
-
Mahesh Aralelemath 386 Reputation points
2021-03-04T09:53:22.74+00:00 Thanks for the details Abhijit and James on this thread.
In summary, i take it as while its recommended to maintain the uniformity in SamAccount and UPN from user experience prospective but there is nothing as hard stop.
Regards
Mahesh -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 28.999999999999996%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Rik Herlaar 0 Reputation points2024-01-09T18:52:26.2333333+00:00 Your mileage may vary - If you have a couple LDAP integrations that are querying the sAMAccountName vs the UPN you may actually be somewhat forced to keep the original sAMAccountName until those integrations have been all aligned to filter the UPN value going forward - I suspect this is a corner case though.
Sign in to comment
Sign in to answer