Skip to main content

Import using via Active Directory (AD) using UPN

Provides details for user import via Ad using UPN attribute

Updated this week

Overview

There might be a situation where an organization undergoes rebranding or a merger, user email addresses often change. In such cases the UPN-based provisioning ensures these users are correctly identified rather than being treated as new accounts. By linking the new UPN to existing records, Druva maintains backup continuity and historical data, effectively preventing the creation of duplicate accounts.

While the email address has long been the standard for identifying users in Druva, many modern enterprises utilize the UPN as the primary source for identity management. This new support allows Druva to align more closely with your existing AD or Entra ID (Azure AD) architecture.

Key Benefits

  • Identity Stability: UPNs are typically more stable than email addresses, which may change due to marriage, name changes, or department moves.

  • Seamless SSO: Better alignment with Single Sign-On (SSO) providers that use UPN as the NameID claim.

  • Reduced Administrative Overhead: Eliminates the need for custom scripts to sync specific email attributes when the UPN is already the standard identifier.

Enable UPN for user provisioning in AD

To enable UPN based provisioning contact support.

UPN User Provisioning Considerations

Supported Environments and Scope:

  1. This feature is exclusive to Active Directory (AD) and does not support LDAP.

  2. This feature can be enabled and disabled via support.

  3. You can add a list of domains that need to be excluded from UPN provisioning
    Example 1:
    Exclusion domain: excluded.com
    User UPN: john@upn.com
    User email: john@other.com.

    The email will be replaced with UPN in this case

    Example 2:
    Exclusion domain: excluded.com
    User UPN: john@upn.com
    User email: john@excluded.com.

    Here the email will not be replaced with UPN as the domain is in the exclusion domain.

  4. Upon UPN user provisioning, the email addresses of existing users are also updated.

  5. All users provisioned with UPN will receive email notifications to UPN address.

Synchronization and Updates:

  1. For users added manually who require auto-sync, their email ID must be manually changed to the UPN on the User Details page.

  2. For bulk user import using IMD (Integrated Mass Deployment), changes to UPN provisioning settings (e.g., feature enablement/disablement, domain exclusion list updates) will take 24 hours to reflect in the Druva environment.

📝 Note

Other workflow setting changes take effect immediately.

  • Feature Disablement Impact:

  1. If this feature is disabled, the email addresses of all users will automatically revert back to the actual email found in your AD, provided the email is valid and does not already exist in Druva .

Related Articles
Manage Users from Microsoft Azure Active Directory using SCIM
Create AD/LDAP Mapping and Import Administrators
Release Notes - Endpoints
Seamless User Migration Between Okta Tenants with Druva Backup and Provisioning
Disabled Azure AD Users Imported as Active in InSync During Initial Provisioning
Did this answer your question?