Propagation time for desktop apps after changing UPN? Skip to main content
https://support.okta.com/help/answers?id=9062a000000quvtqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Kyle YoungKyle Young 

Propagation time for desktop apps after changing UPN?

I'm preparing for a project that involves changing the primary domain for all of our users in Office 365 to a new domain.  We use Okta with WS-Federation with our Office 365 tenant so I've been doing testing for the past week and have the UPN change process nailed down however the thing that I've not been able to fully sort out is the propagation time that is required for the UPN change to carry down to desktop applications, Outlook to be specific.

Since all of our existing users are setup under domain1.com currently this means that we're going to need to create all new Outlook profiles for them to begin using domain2.com according to everything I've read.  So our plan is to use BitTitan's DeploymentPro tool to shove the new domain2.com Outlook profile down to all of users workstations.

In doing my testing the last couple of days it seems like it's within a couple of hours that a user going from domain1.com to domain2.com as their UPN are able to use web based services without issue and have the mail flow out of OWA using the new domain2.com domain.  However desktop apps, and more specifically Outlook have been quite flaky with the amount of time needed before they start accepting the new UPN for authentication.

The interesting thing is that Outlook 2016 appears to process Outlook profile setups differently whether there is an existing profile setup already or not.  The example below is what's occurring when there is no existing Outlook profile setup, which appears to be a friendlier GUI setup.  I'm sure this setup process has probably been around for a while but desktop support is not my primary role so I rarely see this setup process (so it's new to me!).  So I'm able to populate the username with the new UPN in the box below and click the connect button to begin the autodiscover process.

User-added image

I then am prompted to authenticate into Okta

User-added image

Once I succesfully authenticate into Okta the autodiscover continues and then eventually I'm met with the screen below confirming that the acccount was successfully setup.  I'm then able to launch Outlook and everything is completely normal.

User-added image

So the process above confirms that Outlook is able to process the new UPN when there's not already an existing Outlook profile setup.  However since we're needing to add a new profile where existing profiles are already setup this setup method is not the path we're able to take.  Instead Outlook uses the old method (that I'm more used to seeing) shown below.

User-added image

All of the required values are filled in correctly and then I proceed ahead with the autodiscover setup.
It eventually times out with a message stating "An encrypted connection to your mail services is not available" and then suggests connecting with an unencrypted connection, which fails as well.

The user in the screenshots shown above had the UPN changed around 7:30PM ET last night and just now as I'm typing this post did it finally accept the second method of Outlook profile setup.  This seems like an extremely long amount of propagation time (approximately 16+ hours) but if this is the norm then I'll just factor this into my battleplan.

I'm sure other folks out there have gone through a similar process, first time through for me so I just want to make sure we block out the proper amount of time for everything to propagate with the new UPN before we start pushing out the new Outlook profiles.

Any tips or information is greatly appreciated!
 
Marius VoinescuMarius Voinescu (Okta, Inc.)
It might take up to 24 hours for this change to take effect across all services. After the change has taken effect, the user will have to sign in to Outlook, Skype for Business and SharePoint with their updated user name, so be sure to tell them about this change.