And Houston, we have a problem.
On premise users using sAMAccountNames (in 3 domains), as You can remember users can have more than one account so only one account should be synchronized to Azure. So we had to use emails as upn (in ADFS) and during synchronization (email is synced as upn to Azure - by AADC/Entra Connect). To complicate the whole picture users can be switched between their accounts and between domains and... last, but not least, account names (sAMAccountNames) could be changed (some old app requirement). So, if emails are uniqe, we could plan to use emails as upn (one of possible scenarios described in Technet/Microsoft). Only one account per user is synchronised (filtering) and it was almost work with Teams, but now we are making the big leap to clouds.
What's wrong? After first steps toward hybrid we have the problem with employees who have access to more than one mailbox. Still, without migrated mailboxes, they start receiving logon request (form based login in Outlook) - expecting to provide valid email address. But, as You can remember - we have separated upn on premise (one of three possible, because we have three domains), but it's different than email addresses and upn on Azure, because upn on Azure is our email, but user is receiveing proposal with on premise upn which is different than email.
To the whole picture You should know, that we had blocked some traffic to outlook.com or outlook.net domains, but we should enable it to proper work of sharepoint online. We had to also set - enforce - in registry to avoid using M365 autodiscover... i think this is the whole picture...
So we can synchronize upn with emails, but:
- at first look we can recognize few apps with invalid access due to upn change
- if a user provide valid email outlook will work properly
- we don't know what will be affected by this change - we have 300-400 apps so impact is unknown