UPN - Not a durable identifier for the user and should not be used to key data. (Azure AD Optional claim)

Rahul 236 Reputation points
2020-05-29T18:39:14.05+00:00

Hi ,

I need to understand UPN as optional claim.

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set

As per above link it's mentioned as upn (User Principal Name) - An identifier for the user that can be used with the username_hint parameter. Not a durable identifier for the user and should not be used to key data.

We shouldn't pass UPN as optional claim in token ? Is it not a best practice to pass UPN as optional claim ? What are the pros and cons ?

What is meant by Not a durable identifier for the user and should not be used to key data ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,103 questions
0 comments No comments
{count} vote

Accepted answer
  1. Zen van Riel 86 Reputation points
    2020-05-30T14:29:50.387+00:00

    The UPN defined for an object (user) in Azure Active Directory can be changed by e.g. tenant admins.
    The UPN needs to be unique across the AAD directory, which makes it look like an identifier, but as it can be changed it is not a safe identifier.
    It is advisable to use the Object ID instead: this cannot be changed for a given user.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful