Over the last few years I’ve worked on projects where we enable customers towards Office 365. Mail migration, collaboration (SharePoint) skype for business, yammer etc..
Most of the times we have difficult discussions about the choice that could be make about changing the userprincipalname and if it’s really required to change it.
Next to it, it looks like is has become a complex situation convincing our customers to choose for the one single identity. And understand the importance of it. Mostly struggling thought an assessment phase we give the understand to our customers that we should take enough time for the importancy of “identity”. Certainly in this time were security is one of the most important priorities for organizations to improve. And we don’t want to mix-up accounts and make new account for each platform where we like a user could connect to.
In this blog I would like you to understand from an end-user and administrator perspective why to choose for a single identity, cross-premises. And how we could start from this perspective to guarantee that it will become easier for you and your end-users.
In parallel i’ve mixed it with the discussion of changing a part of your identity which is an uniform userlogonname, the userprincipalname.
Hybrid identity – is it a central identity?
“The core of a Microsoft-based centralized identity is Active Directory.” As for a lot of customers we see they have a well implement Active Directory in their organization on a mature and strict way. They use their identity for signing in on their devices, use their identity for their CRM solution, HR platforms, etc…
Hybrid identity – cross premises.
Now, after we have our ‘central identity’ platform ADDS on-premise. We could extend this towards another premise. Therefore we use Azure AD to synchronize the on-premise identity towards Azure Active Directory.
“What is a UserPrincipalname, should it change, and if we change it, will we impact all our users?”
It’s one of the most raised questions, and it could be a complex one. An userprincipalname is the logon name for the user to authenticate toward Active Directory. In an O365 deployment it’s the unique identifier we are using through the environment. As for exchange on-premise and in the cloud.
Administrators are aware where to find it, but let me show you what I meant:
Blue = Userprincipalname = Userlogon (max lenght in characters 64)
Orange Samaccount = Pre-Windows 2000 Logon (max lenght in characters 20)
Like it or not, working towards an identity synchronization directory requires some effort for administrators to provide the best experience for your end-users. In a lot of companies we see a difference in configuration when we are talking about UserPrincipalName (UPN) and the synchronization of it. Some companies are confident that they should not change their UPN and keep them identical to the samaccount. Some choose to change the UPN to the mail address.
For better user experience. It’s well recommended to change the UPN and match it with the primary mailaddress. Make it synchronized to have the same identical name in the on-premise environment as in the cloud.
Make it easier for your users:
When logging in in Onedrive, Onenote and almost all Microsoft services you will be asked to fill-in your mail address. But they mean your UPN.
Skype for Business:
When using skype for business, your default ‘login’ will be your SIP Address. So it is unclear for a user which login they should enter. You could update your SIP addresses to have the same identifier as your mail/upn. Or you could choose for a different address and let your business contacts know that you cannot be reached on your mail address but on your dedicated Skype For Business address. So splitting up your mail address and skype address could be chosen.
What about federation:
You could implement Active Directory Federation Services (ADFS) to have Single Sign-on (SSO) features to help your user logging-in in O365 services. Keep in mind that when they are at home they still need to go through the ADFS and authenticate based on Windows Authentication or Forms Authentication.
Bring it all together:
For an end-user perspective, it’ best to explain your employees that since you are moving more and more services to Office 365 to start working with their UserPrincipalname which is their mail address.
Keep it simple: Let your employees login with 1 identifier which is their mail skype and every other Office 365 services address.
And If it requires a change, let’s do it right away. Communicate the change to all your employees. So you could start as soon as possible with their one and only, simple, single identity.