In the last video, I gave you a high-level overview of Office 365 Identity features. There is one critical thing true for all these scenarios and if you don’t follow that rule, you will make your user’s life hell. It’s Office 365 login and UPNs.
A story about a happy user
Let’s start with a story about the environment where everything is set up properly and users and admins are living happily doing their jobs. In this story, our hero is using his email to access all the systems and applications. He starts with accessing his computer. Then he uses the same credentials to access all his productivity applications.
Every application is accessible using these credentials. He can also talk to his external partners on Skype for Business. He can also access files shared with him by those partners who also use Office 365. And all this only by using his email and password.
OK, let’s come back to Earth. Why did I mention emails so many times? Because this story should be about UPN – User Principal Name, but hardly anyone knows what this means – especially the end users.
Types of logins
Simplifying a bit, each user account in AD has two logins:
- SAM Account Name – i.e. PREDICA\Mareka
- User Principal Name – i.e. email@example.com or firstname.lastname@example.org
In our story, our hero had the following setup:
- UPN was set to email@example.com
- Primary mail was setup to firstname.lastname@example.org
- SIP was setup to email@example.com
Why is such setup essential? Well, the answer is very simple – it gives peace of mind to end users and the IT staff. It allows using many scenarios without straining your brain cells.
You can tell your users just to use their email and password every time they are being asked for credentials. I know all of the security guys are cursing me right now, I hear your bashing – “oooh C’mon man, users can’t give their credentials without thinking about it” – yes, I agree. Period. Let’s move on.
Hardcore Office 365 login journey
Let’s think about what happens in the most pessimistic scenario in the most complicated setup. Hold on, cause it will be a hardcore journey.
Imagine we have a user, who is being managed in AD with the following attributes:
- SAM Account Name is ad\marekantoniuk
- UPN is firstname.lastname@example.org
- Primary mail is email@example.com
- SIP is firstname.lastname@example.org
I guarantee that with such a configuration you will make your and your user’s life much more complicated than it’s necessary. Let’s go through some scenarios that are the result of a mess with UPNs, emails, and SIPs.
First – the user logs on to the computer added to the Active Directory. He can use SAM Account name or UPN, so either ad\marekantoniuk or email@example.com is possible here.
Second – he configures his cloud mailbox that is in the hybrid environment. He must then type his email (firstname.lastname@example.org) – if it’s different than the cloud login, he is asked for cloud credentials. Then he is transferred to Exchange on-premise, and another login window appears. He must type his SAM Account Name or UPN.
Third – if you have ADFS enabled, during logging into the cloud, the user is redirected to your AD, so on the first screen he must put his e-mail, and on the second one (if you didn’t configure alternative login ID) he should type his SAM Account name or UPN.
Fourth – he tries to connect to Skype for Business – in the case of autodiscovery failure, he must enter his SIP and his credentials in the application. But which credentials?
Fifth – another user asks our hero for his email, to send him an invitation to a shared folder on his OneDrive. Nothing works because of the difference between the login name and the original e-mail.
Are you lost? Good, me too. So are many users…
This example is a hardcore one, and I did it because of many similar real life cases. We work with many customers, and often IT doesn’t want to make proper cleanup of AD and leaves users with such headaches. The result is, in more complicated scenarios, no one knows which login name one should use. UPN, email, SIP? They try all of them with or without luck.
So what’s the point? What’s my message?
Please. Go the extra mile. Don’t hesitate to deploy cloud correctly, to properly clean up your AD. Your users probably won’t tell you they love you if you do that. But they will HATE YOU if you don’t. Remember that changing UPN is an entirely reversible and safe scenario.
That’s it for today. If you need help or have some questions don’t hesitate to contact us or just give a comment below. Feel like having even more handy advice? You can request a direct 1-on-1 online session with me – just click here.