Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Official recommendation to UPN equal to SMTP/email address

Silver Contributor

I know that the UPN should be set to the same value as the email address for many reasons, but I can't find the official documentation from Microsoft where they recommend this. Can someone please point me to it?

 

4 Replies

@Dean Gross Haven´t found any more in-depth statement. But in the article about Alternate ID there is a note stating: "Microsoft’s recommended best practices are to match UPN to primary SMTP address. This article addresses the small percentage of customers that cannot remediate UPN’s to match."

 

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-logi...

 

Hope this helps!

 

Regards,

 

Viktor

best response confirmed by VI_Migration (Silver Contributor)
Solution

I don't think there's anything "official" official. It's mentioned as "best practice" in multiple articles, for example here: https://docs.microsoft.com/en-us/office365/admin/add-users/change-a-user-name-and-email-address?view...

 

In reality, it depends on the workload and the client app. Some of them have a proper understanding of the difference between UPN and SMTP address, others "assume". Microsoft does enforce it for some endpoints though, for example when making changes via the O365 Admin Center. They also have a requirement that at least one of the smtp addresses should match the UPN in O365 (not necessarily the primary one though).

This may be a few years old, but security best practice is to keep these different. If they are the same, then you will receive brute force attacks trying to login with the email addresses. When they are different along with using a sub-domain for the UPN, this attack surface is drastically minimized.

@Dean GrossI think this may be the reference you are looking for:

 

A UPN is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than a distinguished name and easier to remember. By convention, this should map to the user's email name. The point of the UPN is to consolidate the email and logon namespaces so that the user only needs to remember a single name.

https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

I don't think there's anything "official" official. It's mentioned as "best practice" in multiple articles, for example here: https://docs.microsoft.com/en-us/office365/admin/add-users/change-a-user-name-and-email-address?view...

 

In reality, it depends on the workload and the client app. Some of them have a proper understanding of the difference between UPN and SMTP address, others "assume". Microsoft does enforce it for some endpoints though, for example when making changes via the O365 Admin Center. They also have a requirement that at least one of the smtp addresses should match the UPN in O365 (not necessarily the primary one though).

View solution in original post