UserPrincipalName (UPN) in Active Directory is the domain login username in the format of the e-mail address. For example, email@example.com. In this example, jbrion is the user’s domain login and contoso.com is the UPN suffix. By default, Active Directory uses the domain name as the UPN suffix. You can add additional UPN suffixes to your domain users from the GUI and from PowerShell.
First, you need to add an additional UPN suffix for the entire domain. To do this:
- Run the Active Directory Domains and Trusts console (domain.msc) with a domain admin permission;
- Right-click on the console root and select Properties;
- Specify an additional domain name in the Alternative UPN suffixes field and click Add. In this example, we added the UPN suffix theitbros.com;
- You can add several additional UPN suffixes.
You can list available UPN suffixes in a domain using PowerShell:
Get-ADForest | Format-List Domains,UPNSuffixes
In this example, the domain name is contoso.com and one alternate UPN suffix is available (theitbros.com).
You can now assign a new UPN suffix to your user accounts. What do you need to know about the UserPrincipalName attribute?
- UPN is an Internet-style user login name (identifier) based on Internet standard RFC 822;
- The value of the UserPrincipalName attribute may match (but does not have to) the email of the user;
- The values of the UserPrincipalName attribute must be unique among all of the security principal objects in the directory forest;
- The maximum size of the UserPrincipalName is 256 characters;
- The UserPrincipalName attribute is optional, unlike samAccountName.
You can check what is the difference between the SAMAccountName and SAMPrincipalName attributes.
Now you can change the value of UserPrincipalName for the AD user:
- To do this, run the Active Directory Users and Computers snap-in (ADUC) with domain administrator privileges;
- Find the user and open its properties;
- Go to the Account tab;
- From the drop-down list, select one of the available UPN suffixes to assign to the user and save the changes. We set @theitbros.com as the user’s UPN suffix;
- Navigate to the Attribute Editor tab and check that the value in the UserPrincipalName attribute has been updated.
If you need to change the UserPrincipalName for more than one user, follow these steps:
- Select the list of users (use Shift and Ctrl) in the ADUC console and open their properties;
- Go to the Account tab, enable the UPN suffix checkbox, and select the UPN suffix value that you want to set for the users.
- This will update the value of UserPrincipalName for all users.
You can also change the UserPrincipalName for a user using the Set-ADUser PowerShell cmdlet.
Get the current UserPrincipalName of the user:
Get-ADUser j.brion | Select-Object UserPrincipalName
Set up a new UserPrincipalName for the user:
Get-ADUser j.brion| Set-ADUser -UserPrincipalName firstname.lastname@example.org
Verify that the UserPrincipalName was updated successfully.