Exchange – logging in with email address different from UPN

active-directoryexchange

How to configure Exchange to enable logging in with Email address, preferably without changing userPrincipalName attribute in AD?

AD domain is example.com therefore typical userPrincipalName is username@example.com. However email addresses look different – givenname.surname@example.net i.e. in different domain and contain person name instead of username.

What are the options?

Unfortunately I'm not a system administrator neither experienced with MS products. Detailed answers are appreciated.

Best Answer

Why?

For detailed answer... By definition of User-Principal-Name attribute:

This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user email name.

So UPN is the only valid login name for user and by convention (and for better user experience) it should be same as the primary email address set in Proxy-Addresses attribute. Even when you add or remove email addresses in Exchange admin center EAC or by using the Exchange Management Shell it will actually change your Proxy-Addresses:

The additional addresses are called proxy addresses. A proxy address lets a user receive email that’s sent to a different email address. Any email message sent to the user's proxy address is delivered to their primary email address, which is also known as the primary SMTP address or the default reply address.

In multi-domain systems you can achieve this by ensuring that both parts of the UPN

  • UPN prefix aka user account name and
  • UPN suffix aka DNS domain name

matches the primary SMTP address. The UPN suffix doesn't depend on the Active Directory domain (collection of objects) where the OU and the user are stored as it can also be another domain from the forest or any domain listed in UPN-Suffixes attribute.

A UPN suffix has the following restrictions (from User Naming Attributes):

  • It must be the DNS name of a domain, but does not need to be the name of the domain that contains the user.
  • It must be the name of a domain in the current domain forest, or an alternate name listed in the upnSuffixes attribute of the Partitions container within the Configuration container.

How?

As described above, you need to change the userPrincipalName. However, you don't have to change your AD domain name as you can Add User Principal Name Suffixes:

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
  2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.
  3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
  4. Repeat step 3 to add additional alternative UPN suffixes.

The additional domains will appear on the suffix side of Account: User logon name in User Properties window and you can change it to match the primary SMTP address.

Your prefix didn't match, either. I suggest changing your usernames to match the givenname.surname prefix used in your email addresses. Usernames aren't limited to 20 characters anymore. However, if some local systems are limited to shorter usernames, you can preserve sAMAccountName for that.

Related Topic