Some time ago, we split a division of my company into its own legal entity. We decided upon a name, added it to our existing Office 365 tenant and switched primary email addresses of the associated employees.
Going against Microsoft's best practices we kept the original UPN, mostly because I was scared of the impact on the only Azure AD joined computer in our environment: mine 😁!
The documentation is good but lacks some details for my specific use case, so I reached out to the community with a tweet. The response was underwhelming, I'm blaming the time of day I posted this and the edge case of the problem, and not on my lack of reach 😉.
Who can tell me the behavior of an @azuread joined (cloud only) @Windows 10 when I change the UPN of the user? Support docs only mention hybrid join explicitly... #AzureAD #DTA #NotAskingForAFriend #AskingForMyself
— Yannick Reekmans (@YannickReekmans) May 4, 2020
I decided to just pull the trigger, well aware that my computer could become a very expensive brick, and just go with the flow
So what happened? Short answer: nothing particularly interesting. But it might still make a good blog post, so here it goes!
Windows 10
Like I stated before: my Windows 10 was Azure AD Joined with my original UPN and I logged in using that account (through Windows Hello).
When I changed my UPN from account@oldupn.com to account@newupn.com, Windows handled it very gracefully. It popped up the "Work or school account problem":
I clicked to notification, clicked the button to sign in again in the Settings app and it just figured it out. I didn't even had to re-authenticate.
This was surprising to say the least!
Office 365
Office 365 doesn't really depend on the UPN, so I didn't expect any issues there. There is one notable exception, being the SharePoint My Site url that historically contains the UPN. As a result, your OneDrive url and the url to your profile picture is impacted as well.
This resulted in a missing profile picture in the Office.com portal suite bar for a while, but a sign out/sign in solved that.
The OneDrive impact is a bit bigger and documented very well by Microsoft, so I'm not repeating that here. The sync client struggled for a while, but rebooting the computer resolved this immediately.
Microsoft Teams
Windows Client
The Microsoft Teams Windows client struggled a bit with this change. It kept insisting on using my old UPN on the welcome screen. When I clicked it, it had an authentication failure and asked me to sign in again.
After that first re-authentication with my new UPN, it started working without issue. When I sign out, I still see the old UPN on the purple button but when I click it, it signs me in automatically with my new UPN.
Since then I did a complete uninstall and reinstall (unrelated to this issue) of Microsoft Apps for Enterprise (aka Office ProPlus), and now I have my new UPN showing.
Web Client
The Teams Web Client in Edgium/ChrEdge/New Edge (how do we call this thing?) had even more issues. For whatever reason, https://teams.microsoft.com ended up in some sort of infinite loop and then showed "To open the web app, you need to change your browser settings to allow third-party cookies".
If, like me, you are tempted to click the "Try again" button: don't. It just puts you back in that same loop, ending up on the same screen.
Just click the "signing out" link and follow the steps, you'll be back Teams-ing in no time.
iOS mobile client
I had to sign out and then re-add my new account to the app.
Edgium/ChrEdge/Edge profile
I use my work account to sign into a profile within Edgium mostly to synchronize my favorites, and to keep all my different Office 365 tenants separate.
Edgium showed issues with syncing, and the simple solution was to go "Manage profiles" and sign out of the profile. It effectively stops the synchronization but keeps the local data. You click "Sign in" again, log in with the new credentials and that's it.
OneNote application
OneNote happily resumed synching all my notebooks, except for my personal one since it is hosted on my OneDrive. Given that the OneDrive url changed, the notebook lives under a new url as well.
This one is documented together with the OneDrive stuff, and you just close the notebook and reopen it.
To Do application
The To Do application on Windows sensed that something had changed and required me to re-authenicate with the new UPN, but then still showed the old UPN in its UI. A good old fashioned sign out and sign back in again fixed this.
Microsoft Apps for Enterprise / Office Pro Plus
Office Pro Plus just kept working, picking up on the change without an issue. It figured out that the UPN changed for the logged in user, but the "Belongs to" field for the license hasn't updated yet. I'm wondering if this just gets updated next time my license is checked.
Microsoft Authenticator
Microsoft Authenticator on iOS kept showing the old UPN up until the point I received an MFA prompt while I had to app open. It updated the UPN and that was it. I didn't have to reconfigure MFA, but I did have an issue with the phone sign in.
Passwordless for Azure AD accounts has been in preview for a while and allows you to tap a number in your authenticator app instead of entering the password.
For passwordless to work, you need to register your device with your organization and then find the correct account in the application to enable phone-based login.
I experienced that the phone based login was still activated for the new UPN and Azure AD tried to send me this numbers to approve, but I never received the prompts.
Apparently, this is a know issue: the account updates but the device registration doesn't. You have to go into Settings on your Authenticator app, tap Device registration and change the account name to the new one.
The result
I expected this to give me a lot more issues, specifically to my Azure AD joined Windows 10 but in the end everything went very smooth. This just proves the robustness of the Microsoft Identity Platform.