Share via

UPN - Not a durable identifier for the user and should not be used to key data. (Azure AD Optional claim)

Rahul 246 Reputation points
2020-05-29T18:39:14.05+00:00

Hi ,

I need to understand UPN as optional claim.

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set

As per above link it's mentioned as upn (User Principal Name) - An identifier for the user that can be used with the username_hint parameter. Not a durable identifier for the user and should not be used to key data.

We shouldn't pass UPN as optional claim in token ? Is it not a best practice to pass UPN as optional claim ? What are the pros and cons ?

What is meant by Not a durable identifier for the user and should not be used to key data ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,174 questions
0 comments
Accepted answer
  1. Zen van Riel 86 Reputation points
    2020-05-30T14:29:50.387+00:00

    The UPN defined for an object (user) in Azure Active Directory can be changed by e.g. tenant admins.
    The UPN needs to be unique across the AAD directory, which makes it look like an identifier, but as it can be changed it is not a safe identifier.
    It is advisable to use the Object ID instead: this cannot be changed for a given user.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.