User Principal Name (UPN)

What is a User Principal Name (UPN)?

In Microsoft Active Directory, a User Principal Name (UPN) is a username and domain in an email address format. In a UPN, the username is followed by a separator "at sign" (@) followed by the active directory's internet domain.

An example UPN is [email protected]. In this example "tomw" is the username and "corp.techtarget.com" is the domain's fully qualified domain name (FQDN) and registered web address as a suffix. The domain's NetBIOS name is "corp." The UPN is used instead of down-level logon name corp\tomw.

All Active Directory user accounts must have a UPN. An implicit UPN is generated by the system at account creation if a UPN is not explicitly created by an administrator. Each UPN must be unique in the domain.

UPNs are useful because they are more standards complaint than using the down-level logon name with a backslash. They are based on internet standard RFC 822. This allows them to be used for authentication with web services and non-Windows operating systems. The UPN can be used for federated, SAML and OAuth scenarios.

Is a UPN the same as an email address?

A UPN is not the same as the user's email address. In many cases they are the same value for ease of use, but UPN and email have different internal uses and are defined in different active directory attributes. The UPN can be adjusted by an administrator to a different value. The user's email address can also be changed to another value. The UPN and email address may be different if the domain's FQDN isn't internet routable and a different web domain is needed for the email to function.

Having a user's UPN and primary email SMTP address be different values can cause issues. For example, an ActiveSync email client can use the email address to autodiscover the correct server and then use the email as the login name. If the UPN and email are different however, the user may need to manually enter the server address and then enter the similar looking but different username.

UPN and Azure Active Directory

Microsoft Windows Azure Active Directory is a cloud-based implementation of Active Directory. It uses UPN as the username or primary account identity. While a user may only need to enter their username in on-premises authentication, for Azure AD the user will almost always need to enter their full UPN.

By default, on Azure AD the UPN is set to [email protected] to ensure a globally unique value. If an internet domain name has been verified by Azure AD, that domain can be used as the UPN suffix. An administrator can change a user's UPN with remote PowerShell commands.

An administrator can set an Alternate Logon ID instead of the UPN. This can be used in scenarios where the email address and UPN are different due to policy or application dependency. The user could then login with their familiar email address instead of with their UPN.

How to change a UPN in Active Directory

In Active Directory Users and Computers tool, available in Remote Server Administration tools (RSAT), open the user account properties. On the Account tab, change the User logon name prefix or suffix.

In PowerShell, use the following:

Import-Module ActiveDirectory
Set-ADUser username -UserPrincipalName [email protected]

How to Change a UPN in Azure Active Directory

Use the following in PowerShell:

Import-Module MSOnline
Set-MSOUserPrincipalName -UserPrincipalName oldupn -NewUserPrincipalName newupn

See how to set up automated log collection with PowerShell, why you should consider Azure AD group-based licensing for Office 365 users and how to get started with Azure AD entitlement management.