Browse Definitions :

User Principal Name (UPN)

What is a User Principal Name (UPN)?

In Microsoft Active Directory, a User Principal Name (UPN) is a username and domain in an email address format. In a UPN, the username is followed by a separator "at sign" (@) followed by the active directory's internet domain.

An example UPN is [email protected] In this example "tomw" is the username and "" is the domain's fully qualified domain name (FQDN) and registered web address as a suffix. The domain's NetBIOS name is "corp." The UPN is used instead of down-level logon name corp\tomw.

All Active Directory user accounts must have a UPN. An implicit UPN is generated by the system at account creation if a UPN is not explicitly created by an administrator. Each UPN must be unique in the domain.

What are the services in Active Directory?
The User Principal Name in Microsoft Active Directory is an email addresses formatted username and domain.

UPNs are useful because they are more standards complaint than using the down-level logon name with a backslash. They are based on internet standard RFC 822. This allows them to be used for authentication with web services and non-Windows operating systems. The UPN can be used for federated, SAML and OAuth scenarios.

Is a UPN the same as an email address?

A UPN is not the same as the user's email address. In many cases they are the same value for ease of use, but UPN and email have different internal uses and are defined in different active directory attributes. The UPN can be adjusted by an administrator to a different value. The user's email address can also be changed to another value. The UPN and email address may be different if the domain's FQDN isn't internet routable and a different web domain is needed for the email to function.

Having a user's UPN and primary email SMTP address be different values can cause issues. For example, an ActiveSync email client can use the email address to autodiscover the correct server and then use the email as the login name. If the UPN and email are different however, the user may need to manually enter the server address and then enter the similar looking but different username.

UPN and Azure Active Directory

Microsoft Windows Azure Active Directory is a cloud-based implementation of Active Directory. It uses UPN as the username or primary account identity. While a user may only need to enter their username in on-premises authentication, for Azure AD the user will almost always need to enter their full UPN.

By default, on Azure AD the UPN is set to [email protected] to ensure a globally unique value. If an internet domain name has been verified by Azure AD, that domain can be used as the UPN suffix. An administrator can change a user's UPN with remote PowerShell commands.

An administrator can set an Alternate Logon ID instead of the UPN. This can be used in scenarios where the email address and UPN are different due to policy or application dependency. The user could then login with their familiar email address instead of with their UPN.

How to change a UPN in Active Directory

In Active Directory Users and Computers tool, available in Remote Server Administration tools (RSAT), open the user account properties. On the Account tab, change the User logon name prefix or suffix.

In PowerShell, use the following:

Import-Module ActiveDirectory
Set-ADUser username -UserPrincipalName [email protected]

How to Change a UPN in Azure Active Directory

Use the following in PowerShell:

Import-Module MSOnline
Set-MSOUserPrincipalName -UserPrincipalName oldupn -NewUserPrincipalName newupn

See how to set up automated log collection with PowerShell, why you should consider Azure AD group-based licensing for Office 365 users and how to get started with Azure AD entitlement management.

This was last updated in December 2022

Continue Reading About User Principal Name (UPN)

  • Network as a Service (NaaS)

    Network as a service, or NaaS, is a business model for delivering enterprise WAN services virtually on a subscription basis.

  • network configuration management (NCM)

    Network configuration management is the process of organizing and maintaining information about all of the components in a ...

  • presentation layer

    The presentation layer resides at Layer 6 of the Open Systems Interconnection (OSI) communications model and ensures that ...

  • zero-day (computer)

    A zero-day is a security flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching ...

  • backdoor (computing)

    A backdoor attack is a means to access a computer system or encrypted data that bypasses the system's customary security ...

  • Heartbleed

    Heartbleed was a vulnerability in some implementations of OpenSSL, an open source cryptographic library.

  • team collaboration

    Team collaboration is a communication and project management approach that emphasizes teamwork, innovative thinking and equal ...

  • employee self-service (ESS)

    Employee self-service (ESS) is a widely used human resources technology that enables employees to perform many job-related ...

  • learning experience platform (LXP)

    A learning experience platform (LXP) is an AI-driven peer learning experience platform delivered using software as a service (...

Customer Experience
  • social media influence

    Social media influence is a marketing term that describes an individual's ability to affect other people's thinking in a social ...

  • headless commerce (headless e-commerce)

    Headless commerce, also called headless e-commerce, is a platform architecture that decouples the front end of an e-commerce ...

  • chief customer officer (CCO)

    A chief customer officer, or customer experience officer, is responsible for customer research, communicating with company ...