Changing UPN for several users

[ripper2k10]

Hi together,

we are using adfsmfa on multiple ADFS 2019 servers with TOTP. The mfa profiles get stored in the ADDS in the attributes msDS-cloudExtensionAttribute10 to 18.
The 2fa system works very well so far, but now we got the problem, that sometimes it is possible, that the UPN of several users may change from time to time. For example, when the users primary mail address changes, the upn will be changed to the new address, resulting in the TOTP becomming invalid.
The actual resolution is to reset the users mfa so that the user can re-register the token for the new upn.
Now we found out, that it's possible to change the identity provider from UPN to WindowsAccountName, described in this part of the kb: https://github.com/neos-sdi/adfsmfa/wiki/01-Installation#activating-product

Now the big question:
If i understand that correct, we need to unregister the adfsmfa module, change the coresponding registry key and then register the adfsmfa module again.
If we do that, what happens to the existing users/tokens? Will they still work or do all users need to re-register their tokens?

Or maybe someone of you has other solutions, how we can achieve the change of the UPN without the need to re-register the token.

Thanks in advance for any help.

Regards,
Christoph

[redhook62]

Hi, Christoph

In ADDS, it is indeed possible to change the values of the upn or the Windows account Name. Since Windows works with a user ID.
However, these are properties that guarantee a reliable identity, unlike emails for example.
We made it possible to use the Windows Account Name, for those who didn't have an upn, or in complex multi-forest and ldap scenarios.

To answer your question, it doesn't matter if you change to use the WindowsAccountName the TOTP keys will become invalid (the user's "ID" is hashed and included in the key for a small part of it, the whole being encrypted depending on the options you have chosen for security), it'a security built-in option which guarantees that a key cannot be copied to another account.

It will be imperative that the user or the administrator generate a new key.
If, you change the identification property after using adfsmfa, creating user accounts, switching from UPN to WindowsAccountName will invalidate all user profiles which will no longer be usable. Loss of all TOTP information, emails, Biometrics.

Evaluate the possibility of using '"AlternateLoginID" in ADFS by mapping it to the email (which will have changed), users will use their email to log in, but everything else will not change.
Be aware that Microsoft offers to use this with Azure AD for cases like yours.
Watch over here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

Regards

redhook

[ripper2k10]

Hi redhook,

thanks for your quick reply.

If i understand your answer correctly, that means our problem will not be solved, even if we change the idp from upn to WindowsAccountName? (including reenrollment for all already registered users)
Does that mean, that changing the upn of a user, that has already registered a token with his account, will always have to re-register a new token?

Yes, because the upn is hashed in the key as indicated. So obligation to recreate the key.

For additional understanding, what do you mean with "User ID", is this the SID of the corresponding AD user?
Or is the "user ID" an internal ID of the adfsmfa module, which always will change in case of upn modifications?

This is a Guid in ADDS associated with each user. however Microsoft offers to use an Alternate ID.
We don't have a specific user ID otherwise

Thanks for your help.

Regards,
Christoph