question

Rahul-7230 avatar image
Rahul-7230 asked ·

UPN - Not a durable identifier for the user and should not be used to key data. (Azure AD Optional claim)

Hi ,

I need to understand UPN as optional claim.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set

As per above link it's mentioned as upn (User Principal Name) - An identifier for the user that can be used with the username_hint parameter. Not a durable identifier for the user and should not be used to key data.

We shouldn't pass UPN as optional claim in token ? Is it not a best practice to pass UPN as optional claim ? What are the pros and cons ?

What is meant by Not a durable identifier for the user and should not be used to key data ?

azure-active-directoryazure-ad-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ZenvanRiel-9776 avatar image
ZenvanRiel-9776 answered ·

The UPN defined for an object (user) in Azure Active Directory can be changed by e.g. tenant admins.
The UPN needs to be unique across the AAD directory, which makes it look like an identifier, but as it can be changed it is not a safe identifier.
It is advisable to use the Object ID instead: this cannot be changed for a given user.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.