What happens to existing users if I change the Okta username format?
When we activiate a user in Okta, the Okta username format is currently set to email address. We've since found that we have a number of users without an email address, or whose email address doesn't match their AD user name. This causes problems with authentication, so we're considering changing the Okta username format to UPN. We need to know the implications of this for existing users in Okta in two areas:
First, application assignments. Okta support told us that after changing the Okta username format, on the next directory import from AD, all existing users will be re-created, resulting in lost application assignments. Is this correct?
Second, what happens to phones enrolled for MFA? If the Okta user accounts are re-created after the Okta username format change, will all users who have enrolled a phone for MFA lose that enrollment?
Finally, does it depend on whether the user's email address matches their UPN? If a user's UPN matches their email address, do they lose app assignments and phone enrollment, even though their Okta name won't change? Or will these issues only affect users whose UPN and email are not the same?
I just went through testing this out in my own org that has AD set as the profile master. When I changed the username format from Email to UPN, the username was updated in Okta. The user was not recreated. The username for the assigned apps remained the same. There could be issues with app assigments if the app gets reassigned. This will cause the username format to be updated if you are using the Okta username for the app username.
There should be no change to the user's phone enrollment because the user will be updated and not recreated.
If the UPN matches the email address you should see no change in Okta. If the email and UPN do not match you may run into issues with new app assigments based on your provisioning and mapping settings.