Microsoft has allowed unprivileged users to update their own User Principal Names (UPNs) in Entra ID, sparking concerns over security and administrative oversight.

To clarify, an unprivileged user can update the user principal name (UPN) for their own Entra ID account but not for others. However, it’s hard to see why any organization would intentionally allow users to modify such a fundamental attribute like a UPN, yet this capability exists.

This change, which can be executed through the Entra admin center or tools like the Microsoft Graph PowerShell SDK, has raised questions about its necessity and potential risks.

Previously, UPN updates were typically restricted to administrators. However, it is now possible for any user to modify their UPN, which is a critical identifier for accessing Microsoft services.

Testing confirmed that users could navigate to their account properties in the Entra admin center and directly edit their UPNs. A similar update can also be performed using the Microsoft Graph PowerShell SDK, as both interfaces rely on the Microsoft Graph Users API.

The update also impacts related properties. For instance, changing a UPN automatically updates the primary SMTP address in Exchange Online due to the dual-write synchronization between Entra ID and Exchange Online. The old primary SMTP address remains as a proxy address to ensure email delivery continuity.

After validating that it is possible for a user to update their user principal name and photo via the Entra admin center, researcher tried with the Microsoft Graph PowerShell SDK.

Allowing users to alter their UPNs raises several security red flags. For example, a user could temporarily change their UPN to impersonate someone else (e.g., [email protected]), gain access to that email address, and then revert to their original UPN. If administrators are not actively monitoring audit logs, such changes could go unnoticed.

Additionally, reverting a UPN change does not automatically remove the extra email proxy address created during the process. This could lead to further complications or misuse if not explicitly addressed by administrators.

Blocking User Access

Organizations concerned about this capability can take steps to limit user access:

• Restricting Access to the Entra Admin Center: Administrators can configure settings to block non-administrative users from accessing the Entra admin center. While this does not fully prevent users with low-level roles (e.g., Reports Reader) from making changes, it reduces casual access.
• Securing Microsoft Graph PowerShell SDK: By default, any user can connect to the Microsoft Graph PowerShell SDK using the Connect-MgGraph cmdlet. Administrators can secure this by restricting access through the associated enterprise app’s settings. Without proper permissions, users attempting to connect will encounter an AADSTS50105 error.

The rationale behind enabling this capability remains unknown. While Microsoft typically implements changes with specific use cases in mind, no clear justification has been provided for allowing unprivileged users to modify such a fundamental property as their UPN. This has left IT administrators puzzled and concerned about potential misuse.

Until more information emerges about Microsoft’s reasoning for this change, organizations are advised to implement controls to mitigate risks. Blocking user access to both the Entra admin center and Microsoft Graph PowerShell SDK is a prudent step for maintaining security.

As of 14:00 UTC Jan 24, 2025, Microsoft has taken action to block users from updating their User Principal Names (UPNs). The Entra admin center now displays a notification restricting this functionality when such attempts are made, signaling a swift response to the issue.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates