Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Fixing Azure AD user folders to avoid apostrophes and unicode characters

Copper Contributor

Hello,

 

Is there a way to override Azure's choice for a user profile folder name? The apostrophe in my name is causing problems.

 

Azure AD seems to provision the user profile on Windows devices from their user Name and Display Name fields, stripping only spaces and leaving Unicode characters. John Smith generates a folder C:\Users\JohnSmith. Similarly, John O'Hurley would create C:\Users\JohnO'Hurley and Stellan Skarsgård would have a login of C:\Users\StellanSkarsgård.

 

In a perfect world the latter two folders work equally well to the first, but there are several important cases where they fail:

  1. Older/Long-lived programs that rely on a %USERPROFILE% query but do not handle Unicode.
  2. Older/Long-lived programs that rely on a %USERPROFILE% query but do not properly escape single quotes.
  3. Scripts and glue code that query user data and either do not escape single quotes or handle unicode.
  4. Linked usernames across Windows and Linux systems.

We've encountered the above problems with 2022 versions of top tier engineering software packages, including those with seat costs in the tens of thousands of dollars. The issue renders them unusable by a few folks at my organization, including myself, so I can assure you that the problems are real.

 

Ideally, we'd like to replicate the profile folders of traditional AD, something like jsmith, johurley, sskarsgard.

 

There's discussion of some of these issues dating back to 2015, including several comments from Microsoft engineers on the Azure teams noting them as bugs they didn't anticipate and were working to fix, so I'm hoping there's an update after 8 years.

Early Azure AD Unicode Issue flag: https://social.msdn.microsoft.com/Forums/Lync/en-US/14ba0cb4-2a1c-4e1b-923a-e00ba2b2a584/change-auto...

UPN with apostrophe: https://learn.microsoft.com/en-us/answers/questions/389945/azure-analysis-services-and-user-account-...

IDFix Migration tool permits apostrophe: https://github.com/microsoft/idfix/issues/46

AD Migration with Diacritics: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/diacritics-in-users-names/m-p/110472

Datastudio display bug (fixed): https://github.com/microsoft/azuredatastudio/issues/12629

 

One of the solutions mentions using a registry level re-map. We've noticed that programs sometimes get confused and create folders in the AzureAD "ghost" profile folder (JohnO'Hurley) that remains on the machine instead of the remapped one (johurley), and that this can also create issues with permissions across the account. It also needs to be re-run as a local admin for each machine, which seems fragile and impractical.

 

We've been searching for the correct fix for a few weeks now. The unpalatable solution we're arriving at is to remove the apostrophe and unicode characters from our Identities in Azure for the software to function correctly. This has the awful side effect of also removing them from the "From:" field of email and anywhere else the Display Name is used. Losing my apostrophe is very upsetting, and a few of my colleagues also enjoy their names being printed correctly. To be clear, the email addresses we're using are "plain" characters, as are the UPNs--we're only talking about the displays. I hope we're missing something, because it feels exclusionary to people with nonconforming names, especially since the on-prem AD didn't have these issues, and neither do non domain-joined machines using simple Microsoft accounts. Azure AD is marketed as the "modern" product to replace traditional AD.

 

What are we missing? Any ideas how we can keep our names and run our programs too? All input is greatly appreciated.

 

Thanks,

Peter

 

6 Replies
Hi, if the reg fix suggested is not an option for you, I see no other obvious alternative I'm afraid.

If anything, I would say that the Engineering software vendor should be working to make their own products more inclusive.

Sorry I can't be more helpful.

@poreganis the solution - Beta: Use Unicode UTF-8 for worldwide language support - outlined here: Outlook displays an error message on first start - Outlook | Microsoft Learn not an option?

@BalazsOrban1 thanks for the suggestion. We're trying to go the opposite way, actually. But the fact that Outlook, the Most Important Program of an organization, has the same problem with the profile directories highlights the problem with how Azure AD works with existing software and is a very strong argument for having an adjustment knob at the AzureAD level.

 

We want Azure AD to fallback to use an ASCII version of the display name and strip apostrophes for profile folders to solve this problem for multiple applications rather than have each program need extensive updates. The real-world cases we're seeing break in Altair, Mathworks, and TI software are because of this oversight. A lot of these programs use some kind of a pipe or command line link between programs, and that's where the apostrophes (single quote) and Unicode characters are causing errant behavior. 

 

If you're the user, you can fix an error in a local folder by renaming it, but you're powerless if it's your profile.

 

It also makes it challenging to work between Linux and Windows environments because we can't have matching usernames.

 

Personally I don't get why I have to choose between having functional software and having the apostrophe in the "From" field of my email address/SharePoint display name.

Hi @poregan , sorry to revive the thread. But I want to ask, did you ever arrive at a satisfactory solution?
We are facing the same problem in my organization, and our work-around is to temporarily edit the displaynames before setting up devices, to avoid non-ASCII characters in the userpath folder.

But from your post, I can see this issue has existed for much longer than I expected, and I'm shocked that it still persists. 
I assume it should be relatively simple for Microsoft to give us an option in AzureAD to generate the userpath folder based on UPN or display name with ASCII-substitution. 

Hi @AugustKV,

 

I'm sorry to say that we haven't yet received a satisfactory answer. We have a ticket in, and it's been bounced between Azure and Windows teams, maybe also Windows Server. I think that's the primary problem: it's a bug running across an organizational silo barrier.

 

On our associated support calls regarding the ticket, one of the Microsoft support team members (technically an external agency contracted to represent Microsoft) went so far as to imply that it was my fault for having an apostrophe in my (legal) name. He said that if I wanted to use Microsoft products successfully I needed to change it. I could never use my real name in SharePoint or email so long as my company used Azure AD. The support agents were unwilling to acknowledge it was an edge case in the software, unwilling to escalate the ticket to a product manager, and unable to tell me if a developer would ever see the issue. It left us unsatisfied with the entire experience. I've never felt more disrespected by a support agent. I assume they had to abide by a script where they cannot admit a defect in Microsoft products, so therefore the customer is always wrong.

 

This bug breaks Powershell, by the way, but oddly the git bash and Terminal apps handle it fine.

 

We're exploring an on prem AD solution now to fix this but it's an expensive step backwards with  a lot of overhead and security implications that are the reasons we picked Azure in the first place. And early indications seem like it also may not work satisfactorily. Our workaround right now is having me use an entirely separate account to run simulation work using the affected software. Moving back and forth is a pain.

 

I agree with your fix assessment, and if we're wrong about it I hope a developer could chime into the thread to explain why.

 

It seems like it's around ten lines of code and an if statement for the Windows team and an extra database column for Azure to create a clean, lasting solution that supports people of all nationalities and name spelling, including extended ASCII and Unicode characters.

 

Related questions I've been wondering about is how these issues might affect non-Latin characters if Windows and Azure are localized in Japanese, Mandarin, Thai, or Korean characters and how using DisplayName for deployment deals with position suffixes common in larger organization accounts (often government or government adjacent).

 

 

I appreciate the extensive answer.
Unfortunately, going on-premise AD doesnt seem to be a viable option for us (and I wouldn't know how to set it up).

I'm disappointed that it doesn't sound like Microsoft is actively working on solving this, but I hope to be pleasantly surprised some day