Changing UPN for several users #197
-
Hi together, we are using adfsmfa on multiple ADFS 2019 servers with TOTP. The mfa profiles get stored in the ADDS in the attributes msDS-cloudExtensionAttribute10 to 18. Now the big question: Or maybe someone of you has other solutions, how we can achieve the change of the UPN without the need to re-register the token. Thanks in advance for any help. Regards, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Hi, Christoph In ADDS, it is indeed possible to change the values of the upn or the Windows account Name. Since Windows works with a user ID. To answer your question, it doesn't matter if you change to use the WindowsAccountName the TOTP keys will become invalid (the user's "ID" is hashed and included in the key for a small part of it, the whole being encrypted depending on the options you have chosen for security), it'a security built-in option which guarantees that a key cannot be copied to another account. It will be imperative that the user or the administrator generate a new key. Evaluate the possibility of using '"AlternateLoginID" in ADFS by mapping it to the email (which will have changed), users will use their email to log in, but everything else will not change. Regards redhook |
Beta Was this translation helpful? Give feedback.
Hi, Christoph
In ADDS, it is indeed possible to change the values of the upn or the Windows account Name. Since Windows works with a user ID.
However, these are properties that guarantee a reliable identity, unlike emails for example.
We made it possible to use the Windows Account Name, for those who didn't have an upn, or in complex multi-forest and ldap scenarios.
To answer your question, it doesn't matter if you change to use the WindowsAccountName the TOTP keys will become invalid (the user's "ID" is hashed and included in the key for a small part of it, the whole being encrypted depending on the options you have chosen for security), it'a security built-in option which guarantees tha…