Share via

UPN and NameID

Like 0 Reputation points
2025-01-27T06:35:34.7366667+00:00

Hello everyone,

can someone please help me understand the difference between UPN and Unique User Identifier (Name ID)?

UPN

The UPN is used to authenticate the user. The UPN is a unique attribute, and the user is always authenticated in Azure using the UPN.

Name ID

So what is the purpose of the Name ID? No matter what I enter in the Name ID field in Azure, can the user authenticate in my Enterprise App, even if I set NameID="user.department" or NameID="user.surname"? But this attribute value is the same for many users, why can this user still authenticate? Does that mean that all users who, for example, have same department or surname can authenticate in Azure? Am I understanding this correctly?

I tested again. for exmaple My NameID = employeeID. I changed all the attributes for a user (employeeId, UPN, department,surname, givenname, ) and this user was able to authenticate in my Enterprise App. Only when I change the email address, the user can not log in my Enterprise application. That’s why I don’t understand what the NameID is used for, if authentication is done based on email address anyway. What happens if a user’s email address changes? Why is the user authenticated with an email address and not with the UPN?

Thank you very much

Best Regards

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,192 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,010 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,097 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ki-lianK-7341 845 Reputation points
    2025-01-27T07:55:02.28+00:00

    UPN (User Principal Name)

    • Purpose: Used for authenticating users in Azure AD.
    • Format: Typically an email address (e.g., user@domain.com).
    • Uniqueness: Must be unique within the directory.

    Name ID

    • Purpose: Used in SAML tokens to identify users.
    • Flexibility: Can be set to various attributes (e.g., employeeID, department).
    • Uniqueness: Does not need to be unique.

    Key Points

    • Authentication: Done using UPN.
    • Name ID: Used within SAML tokens, not for authentication.
    • Email Address: Often used as UPN; changing it affects login.

    If a user’s email (UPN) changes, they need to use the new email to log in. The Name ID can remain the same or be updated as needed.

    I hope this helps! Let me know if you have more questions.

    0 comments
  2. Navya 14,985 Reputation points Microsoft Vendor
    2025-01-27T12:27:45.1+00:00

    Hi @Like

    Thank you for posting this in Microsoft Q&A.

    UPN (User Principal Name) is a unique attribute in Microsoft Entra (Azure Active directory) that is used to authenticate the user. The UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name).

    Name ID is a SAML attribute that is used to identify the user in a SAML assertion. It is not used for authentication, but rather for identification purposes. The Name ID can be any attribute that uniquely identifies the user, such as the employee ID, department, or surname. When a user logs in to a SAML-enabled application, the application receives a SAML assertion that includes the Name ID. The application can then use the Name ID to identify the user.

    why users can authenticate even if they have the same department or surname

    The Name ID is not used for authentication. Authentication is done based on the UPN, which is always unique. The Name ID is only used for identification purposes.

    why users are authenticated with an email address and not with the UPN

    Historically, the UPN was the primary identifier for authentication in Microsoft Entra ID, and for many organizations, the UPN was set to match the user's email address for a consistent sign-in experience. However, in some organizations, the UPN doesn’t match the preferred sign-in email (Primary SMTP address), which can create a less ideal login experience.

    To address this, organizations can configure the Microsoft Entra UPN to match the user’s email address, allowing users to authenticate using their email address instead of the UPN. While this provides a better user experience, it may cause compatibility issues with certain Microsoft 365 workloads.

    A more modern approach involves synchronizing the on-premises UPN with the user’s email address (via the ProxyAddresses attribute). This enables users to log in using their email address while maintaining synchronization between on-premises and Microsoft Entra ID. This flexibility ensures smoother authentication and accommodates different organizational requirements.

    For your reference: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-use-email-signin

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.