Changing username in AAD (Entra)
nydydn opened this issue · 2 comments
I need to change a user's username in AAD (Entra) (from oldusername@domain.com to newusername@domain.com), but I am not sure how this would be handled by AzureAD-LDAP-wrapper. I couldn't figure it based on the documentation, but what I imagine is that changing the userPrincipalName in AAD, would be interpreted as simply a new username and a deletion of another username. Is my interpretation correct? If so, can I somehow transfer all permissions between the old username and the new one, which are the same username, but with a different userPrincipalName in AAD?
Or am I worried for nothing because the LDAP and AAD users are linked on something else that doesn't change anyway? But if so could I log in with the new username (and the same old password), or do I have to continue to use the old username in AAD. Or can I use both?
If I change the username, and things break, so I decide to go back to the old username, would changing the username back in Entra fix everything, or would the old username be once again just another new username in LDAP, because the old one has been deleted with the first change?
What should I consider when changing a username in Entra?
Initially I just wanted to have the newusername as an alias that ca be used to sign in as well, but then I understood this isn't possible with AAD, only with personal Microsoft accounts, or AAD federated with AD. And I wouldn't have understood the impact of that on the LDAP wrapper anyway.
So I've done the sane thing, and I tested it with a new test user, that I then changed to a different username.
My assumption was wrong that it would be detected by azure ldap wrapper as a delete+create action. The changed username had all the same properties except the username and retained all the set permissions etc.
I could log in with the new user name.
I could not log in anymore with the old user name. which is fine, but I wanted to point it out.
The above discoveries indicate that the procedure is reversible, at least as far as AAD (Entra) and the LDAP (wrapper) server are concerned. If there are other 3rd party services syncing with ldap, your mileage may vary.
Your observation is correct :) The wrapper uses both ObejctId and Name for synchronization. If a user (or a group) is only renamed, all attributes are transferred. If a user (or group) is deleted and recreated with the same name before a deletion cycle (approx. 7 days by default), all attributes would also be transferred here.
Problems can only occur with 3rd party tools, e.g. new home directories and therefore "missing" data that may have to be moved manually afterwards.