2025-04-11
upn change for M365 migration concerns
In infrastructure with PaloAlto, ActiveDirectory and VPN on Cisco AnyConnect after upn change we have a problem with access to infrascture. As I can remember - our envrionment - PaloAlto and AnyConnect have problem w with recognition of proper source domain (we have few domains) so after change of upn to a new value (equal to email address) workstation moves to different access policy for unknown users - it has access to selected infrastructure servers, but on user level there is no access to any components (for example rdp connections).
2025-04-05
change upn for M365 migration
Some company with near 25k identities (above 30k accounts - many persons or identities have few accounts). Now in process of the big jump on clouds - Exchange Online and SharePoint Online.
And Houston, we have a problem.
On premise users using sAMAccountNames (in 3 domains), as You can remember users can have more than one account so only one account should be synchronized to Azure. So we had to use emails as upn (in ADFS) and during synchronization (email is synced as upn to Azure - by AADC/Entra Connect). To complicate the whole picture users can be switched between their accounts and between domains and... last, but not least, account names (sAMAccountNames) could be changed (some old app requirement). So, if emails are uniqe, we could plan to use emails as upn (one of possible scenarios described in Technet/Microsoft). Only one account per user is synchronised (filtering) and it was almost work with Teams, but now we are making the big leap to clouds.
What's wrong? After first steps toward hybrid we have the problem with employees who have access to more than one mailbox. Still, without migrated mailboxes, they start receiving logon request (form based login in Outlook) - expecting to provide valid email address. But, as You can remember - we have separated upn on premise (one of three possible, because we have three domains), but it's different than email addresses and upn on Azure, because upn on Azure is our email, but user is receiveing proposal with on premise upn which is different than email.
To the whole picture You should know, that we had blocked some traffic to outlook.com or outlook.net domains, but we should enable it to proper work of sharepoint online. We had to also set - enforce - in registry to avoid using M365 autodiscover... i think this is the whole picture...
So we can synchronize upn with emails, but:
And Houston, we have a problem.
On premise users using sAMAccountNames (in 3 domains), as You can remember users can have more than one account so only one account should be synchronized to Azure. So we had to use emails as upn (in ADFS) and during synchronization (email is synced as upn to Azure - by AADC/Entra Connect). To complicate the whole picture users can be switched between their accounts and between domains and... last, but not least, account names (sAMAccountNames) could be changed (some old app requirement). So, if emails are uniqe, we could plan to use emails as upn (one of possible scenarios described in Technet/Microsoft). Only one account per user is synchronised (filtering) and it was almost work with Teams, but now we are making the big leap to clouds.
What's wrong? After first steps toward hybrid we have the problem with employees who have access to more than one mailbox. Still, without migrated mailboxes, they start receiving logon request (form based login in Outlook) - expecting to provide valid email address. But, as You can remember - we have separated upn on premise (one of three possible, because we have three domains), but it's different than email addresses and upn on Azure, because upn on Azure is our email, but user is receiveing proposal with on premise upn which is different than email.
To the whole picture You should know, that we had blocked some traffic to outlook.com or outlook.net domains, but we should enable it to proper work of sharepoint online. We had to also set - enforce - in registry to avoid using M365 autodiscover... i think this is the whole picture...
So we can synchronize upn with emails, but:
- at first look we can recognize few apps with invalid access due to upn change
- if a user provide valid email outlook will work properly
- we don't know what will be affected by this change - we have 300-400 apps so impact is unknown
Subskrybuj:
Posty (Atom)