1

I thought UserPrincipalName (UPN) are single valued per user in the Directory, but when I run an LDAP query for a specific user, I get the UPN: AO0S0020@mydomain.local,

And when running an OAuth (OpenId Connect) authorization against Azure AD (which is synced using AD Connect), I see that the claims UPN for the same user: nati@mydomain.com

What am I missing here?

Nati
  • 1,034
  • 5
  • 19
  • 46

1 Answers1

2

You are missing the concept of Alternate login id.

It seems your Azure AD connect is configured with alternate login id. Thus the difference.

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • I tried to fetch the `AlternateLoginID` attribute from the LDAP, but it does now exist. – Nati Jul 02 '18 at 13:28
  • 1
    AlternateLoginID is configured in ADFS and ADConnect, not in AD. Usually, it points to the email AD property. – andresm53 Jul 05 '18 at 17:49
  • I would get the guid (or OID) from AD for nati@mydomain.com and then look for this oid guid value in another field in LDAP. – Sql Surfer Jul 08 '18 at 02:18
  • @SqlSurfer the OID in Azure AD is completely disconnected from your on-premises world. So there is nothing to match with it. The link from cloud to on-prem is source anchor. And its configuration varies and can be changed (Azure AD Connect settings). – astaykov Jul 09 '18 at 10:04