Browse Definitions :

User Principal Name (UPN)

What is a User Principal Name (UPN)?

In Microsoft Active Directory, a User Principal Name (UPN) is a username and domain in an email address format. In a UPN, the username is followed by a separator "at sign" (@) followed by the active directory's internet domain.

An example UPN is [email protected]. In this example "tomw" is the username and "" is the domain's fully qualified domain name (FQDN) and registered web address as a suffix. The domain's NetBIOS name is "corp." The UPN is used instead of down-level logon name corp\tomw.

All Active Directory user accounts must have a UPN. An implicit UPN is generated by the system at account creation if a UPN is not explicitly created by an administrator. Each UPN must be unique in the domain.

What are the services in Active Directory?
The User Principal Name in Microsoft Active Directory is an email addresses formatted username and domain.

UPNs are useful because they are more standards complaint than using the down-level logon name with a backslash. They are based on internet standard RFC 822. This allows them to be used for authentication with web services and non-Windows operating systems. The UPN can be used for federated, SAML and OAuth scenarios.

Is a UPN the same as an email address?

A UPN is not the same as the user's email address. In many cases they are the same value for ease of use, but UPN and email have different internal uses and are defined in different active directory attributes. The UPN can be adjusted by an administrator to a different value. The user's email address can also be changed to another value. The UPN and email address may be different if the domain's FQDN isn't internet routable and a different web domain is needed for the email to function.

Having a user's UPN and primary email SMTP address be different values can cause issues. For example, an ActiveSync email client can use the email address to autodiscover the correct server and then use the email as the login name. If the UPN and email are different however, the user may need to manually enter the server address and then enter the similar looking but different username.

UPN and Azure Active Directory

Microsoft Windows Azure Active Directory is a cloud-based implementation of Active Directory. It uses UPN as the username or primary account identity. While a user may only need to enter their username in on-premises authentication, for Azure AD the user will almost always need to enter their full UPN.

By default, on Azure AD the UPN is set to [email protected] to ensure a globally unique value. If an internet domain name has been verified by Azure AD, that domain can be used as the UPN suffix. An administrator can change a user's UPN with remote PowerShell commands.

An administrator can set an Alternate Logon ID instead of the UPN. This can be used in scenarios where the email address and UPN are different due to policy or application dependency. The user could then login with their familiar email address instead of with their UPN.

How to change a UPN in Active Directory

In Active Directory Users and Computers tool, available in Remote Server Administration tools (RSAT), open the user account properties. On the Account tab, change the User logon name prefix or suffix.

In PowerShell, use the following:

Import-Module ActiveDirectory
Set-ADUser username -UserPrincipalName [email protected]

How to Change a UPN in Azure Active Directory

Use the following in PowerShell:

Import-Module MSOnline
Set-MSOUserPrincipalName -UserPrincipalName oldupn -NewUserPrincipalName newupn

See how to set up automated log collection with PowerShell, why you should consider Azure AD group-based licensing for Office 365 users and how to get started with Azure AD entitlement management.

This was last updated in December 2022

Continue Reading About User Principal Name (UPN)

  • timing attack

    A timing attack is a type of side-channel attack that exploits the amount of time a computer process runs to gain knowledge about...

  • privileged identity management (PIM)

    Privileged identity management (PIM) is the monitoring and protection of superuser accounts that hold expanded access to an ...

  • possession factor

    The possession factor, in a security context, is a category of user authentication credentials based on items that the user has ...

  • employee resource group (ERG)

    An employee resource group is a workplace club or more formally realized affinity group organized around a shared interest or ...

  • employee training and development

    Employee training and development is a set of activities and programs designed to enhance the knowledge, skills and abilities of ...

  • employee sentiment analysis

    Employee sentiment analysis is the use of natural language processing and other AI techniques to automatically analyze employee ...

Customer Experience
  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

  • customer insight (consumer insight)

    Customer insight, also known as consumer insight, is the understanding and interpretation of customer data, behaviors and ...

  • buyer persona

    A buyer persona is a composite representation of a specific type of customer in a market segment.