We have a AD forest with multiple domains but for the most part all or most of our resources are managed in one of the primary or corp ad domain,
We now are in process of syncing user ID's to Office 365, we have our internal domain verified on our tenant and we also have federation setup using PingFederate with Office 365 and we will change value of upn attribute on the account from its current value to users' primary email address
We have many users who have upn matching to samaccountname + domain suffix that is iUPN and eUPN concept by the way we dont have any additional domain suffixes in the environment
So coming back to my query we have tried our best to identify or find out if there is anyone application / user using upn for authentication so far none of our investigation has shown upn is being used, There could be users who are used to or are habitual to use upn to sign in into devices and applications for e.g. desktop – laptop devices When the machine is at Ctrl + Alt + Del and user is used to sign in using UPN which is by default samAccountName + domain suffix which might not be equal to email of user then what ? Other scenarios which we are not aware of legacy devices like windows xp or manufacturing application / device ?
and As per iUPN-eUPN concept mentioned above it says if your tracking kerberos tickets to find out kerberos tickets are always with iUPN which is samAccountName + domain suffix and not against the name or value you see in upn attribute of the user or account for that matter
So I need to know
1. the right way of tracking and finding out who (Appr or any user) is using UPN for logon/login 2. What are the know issues or impacts of changing the UPN in Active-Directory for AD Accounts