This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 70%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
Hello,
I have a user that when I query it by id using the Microsoft Graph Get directoryObject API his UPN contains #EXT# and ends with onmicrosoft.com
But when I look at the profile of the same user (same object id) in our AD, his UPN looks completely different. No #EXT# and different domain.
I don't understand why the same user has different UPN when I query it from Microsoft Graph than what actually appears in the AD.
Why does the user's UPN changes depending on from where I look at him? What is his "real" UPN?
A cloud-based identity and access management service for securing user authentication and resource access
Answer accepted by question author
Those are Guest users, by definition they should be "external" to your AD. Moreover, UPN is not the value that "links" on-premises and cloud objects, that role is played by the sourceanchor (objectGUID by default).
Thank you for your answer. The user is indeed a guest user. But I still don't understand why in the AD of my tenant (and when I receive his sign-in logs) I see his "real" UPN instead of the UPN that contains #EXT#
If I'm to take a wild guess, someone provisioned a (mail) user account for this person. It's normal that you only see the "real" UPN in logs, in fact the whole user_domain.com#EXT#@tenant .onmicrosoft.com identifier is more of a "pointer" and is not used to actually log in. Instead, the user logs in with their "real" UPN against their own Azure AD instance, which in this case will be user@keyman .com.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 77%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
User Type is also "Member"in my case, not Guest. Bit confusing
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 55.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
That is because when you invite the user, in properties it can be specified as member.