entra ID connect MSOL accounts - no UPN

Question

entra ID connect MSOL accounts - no UPN

John Curtiss 66

i have a couple of Entra ID connect servers, formerly known as Azure AD connect servers. each of the servers has an "MSOL_GiBbErIsh123" account associated with it. i assume these are created automatically when azuread connect is installed. i inherited this, and it has been working fine.

in the "account" tab on the properties for both of these accounts, there is no UPN. that is, the top "User Logon Name" is blank, with no domain selected, but the bottom "User Logon Name (pre-windows 2000:) is populated. (samaccountname exists but userprincipalname is blank)

it seems wildly inconsequential to add the upn, but the idea that microsoft created them this way purposely instead of accidentally makes me hesitant to just drop it in there. does anybody know why the MSOL accounts don't have UPNs?

(i have a procurement/security software that I believe is having trouble reading these accounts because of the missing UPN)

2 answers

Your answer

Answer 1

Marcin Policht 39,685 MVP

If an AD DS user account does not have an explicitly assigned UPN, it is automatically assigned the UPN associated with the AD DS forest - so every account has the UPN set (even though it might not appear in GUI-based tools)

If you have software that requires an explicitly assigned UPN, you can simply assign it directly to the user account by ADUC/ADAC/etc...

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

John Curtiss 66 Reputation points

2025-01-08T20:46:31.4033333+00:00

ok. i just ran :

get-aduser -filter {userprincipalname -notlike "*" -and enabled -eq $true} | select name

and these two MSOL accounts are are the only results. so it seemed fishy to me.
John Curtiss 66 Reputation points

2025-01-08T20:49:13.92+00:00

ok. i just ran

get-aduser -filter {userprincipalname -notlike "*" -and enabled -eq $true} | select name

and these two MSOL accounts were the only results out of ~9,000 accounts. so it seemed fishy to me.
Marcin Policht 39,685 Reputation points MVP

2025-01-09T00:25:10.7233333+00:00

Refer to https://learn.microsoft.com/en-us/windows/win32/secauthn/user-name-formats

A UPN can be implicitly or explicitly defined. An implicit UPN is of the form ******@DNSDomainName.com. An implicit UPN is always associated with the user's account, even if an explicit UPN is not defined.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Akhilesh Vallamkonda 13,060 Microsoft External Staff

Hi @John Curtiss

Thank you for reaching Microsoft Q&A Forum!

Generally, the UPN is typically used for user logon purposes. The absence of a User Principal Name (UPN) for these accounts is intentional, because these service accounts don't require a UPN because they are not used for interactive logon, Instead, they rely on the SAMAccountName.
The MSOL accounts are created by Entra Connect and are used for synchronization purposes only between your on-premises Active Directory and Entra ID.
It is not necessary to add a UPN to the MSOL accounts and could potentially cause issues with the synchronization service.

Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh V.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

John Curtiss 66 Reputation points

2025-01-09T21:03:09.69+00:00

is there any reason i shoujldn't add the upn?
Marcin Policht 39,685 Reputation points MVP

2025-01-10T05:59:31.2266667+00:00

There is no specific downside of adding an explicit UPN - unless you're planning on changing the primary UPN associated with the forest (since using the implicit UPN in such case would eliminate the need to change it explicitly for all user accounts that are configured with the implicit UPN).

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Akhilesh Vallamkonda 13,060 Reputation points Microsoft External Staff

2025-01-13T21:33:33.7233333+00:00

Hi @John Curtiss
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 13,060 Reputation points Microsoft External Staff

2025-01-15T21:00:36.6466667+00:00

Hi @John Curtiss
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

entra ID connect MSOL accounts - no UPN

2 answers

Your answer