Forum Discussion
Solved
Official recommendation to UPN equal to SMTP/email address
I know that the UPN should be set to the same value as the email address for many reasons, but I can't find the official documentation from Microsoft where they recommend this. Can someone please poi...
I don't think there's anything "official" official. It's mentioned as "best practice" in multiple articles, for example here: https://docs.microsoft.com/en-us/office365/admin/add-users/change-a-user-name-and-email-address?view=o365-worldwide#tip-keep-the-persons-old-email-address
In reality, it depends on the workload and the client app. Some of them have a proper understanding of the difference between UPN and SMTP address, others "assume". Microsoft does enforce it for some endpoints though, for example when making changes via the O365 Admin Center. They also have a requirement that at least one of the smtp addresses should match the UPN in O365 (not necessarily the primary one though).
This may be a few years old, but security best practice is to keep these different. If they are the same, then you will receive brute force attacks trying to login with the email addresses. When they are different along with using a sub-domain for the UPN, this attack surface is drastically minimized.