UPN - Not a durable identifier for the user and should not be used to key data. (Azure AD Optional claim)

Question

question

Rahul-7230 asked May 29, '20 ZenvanRiel-9776 answered May 30, '20

UPN - Not a durable identifier for the user and should not be used to key data. (Azure AD Optional claim)

Hi ,

I need to understand UPN as optional claim.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set

As per above link it's mentioned as upn (User Principal Name) - An identifier for the user that can be used with the username_hint parameter. Not a durable identifier for the user and should not be used to key data.

We shouldn't pass UPN as optional claim in token ? Is it not a best practice to pass UPN as optional claim ? What are the pros and cons ?

What is meant by Not a durable identifier for the user and should not be used to key data ?

azure-active-directory azure-ad-authentication

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2020-05-30T14:29:50.387Z

ZenvanRiel-9776 answered May 30, '20

The UPN defined for an object (user) in Azure Active Directory can be changed by e.g. tenant admins.
The UPN needs to be unique across the AAD directory, which makes it look like an identifier, but as it can be changed it is not a safe identifier.
It is advisable to use the Object ID instead: this cannot be changed for a given user.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question