Forum Discussion
Official recommendation to UPN equal to SMTP/email address
I know that the UPN should be set to the same value as the email address for many reasons, but I can't find the official documentation from Microsoft where they recommend this. Can someone please point me to it?
I don't think there's anything "official" official. It's mentioned as "best practice" in multiple articles, for example here: https://docs.microsoft.com/en-us/office365/admin/add-users/change-a-user-name-and-email-address?view=o365-worldwide#tip-keep-the-persons-old-email-address
In reality, it depends on the workload and the client app. Some of them have a proper understanding of the difference between UPN and SMTP address, others "assume". Microsoft does enforce it for some endpoints though, for example when making changes via the O365 Admin Center. They also have a requirement that at least one of the smtp addresses should match the UPN in O365 (not necessarily the primary one though).
4 Replies
Dean_GrossI think this may be the reference you are looking for:
A UPN is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than a distinguished name and easier to remember. By convention, this should map to the user's email name. The point of the UPN is to consolidate the email and logon namespaces so that the user only needs to remember a single name.
https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname
- This may be a few years old, but security best practice is to keep these different. If they are the same, then you will receive brute force attacks trying to login with the email addresses. When they are different along with using a sub-domain for the UPN, this attack surface is drastically minimized.
I don't think there's anything "official" official. It's mentioned as "best practice" in multiple articles, for example here: https://docs.microsoft.com/en-us/office365/admin/add-users/change-a-user-name-and-email-address?view=o365-worldwide#tip-keep-the-persons-old-email-address
In reality, it depends on the workload and the client app. Some of them have a proper understanding of the difference between UPN and SMTP address, others "assume". Microsoft does enforce it for some endpoints though, for example when making changes via the O365 Admin Center. They also have a requirement that at least one of the smtp addresses should match the UPN in O365 (not necessarily the primary one though).
Dean_Gross Haven´t found any more in-depth statement. But in the article about Alternate ID there is a note stating: "Microsoft’s recommended best practices are to match UPN to primary SMTP address. This article addresses the small percentage of customers that cannot remediate UPN’s to match."
Hope this helps!
Regards,
Viktor
