Error: Your Microsoft account UPN has changed

[AntonT76]

Hi,

we did an update from Moodle 4.1.4+ to 4.1.6+, the Microsoft local_o365-Plugin is 4.1.3 (2022112815). Now we have an user which is not able to login. The error message is:

"Your Microsoft account UPN has changed. Please contact your administrator to update your Moodle account."

Some additional infos:

• In Moodle the username is the same like UPN in Microsoft (eg: Username = [email protected]; UPN = [email protected])
• Due to organisational things the username was changed years ago both in Azure and also Moodle, but until the update, login was possible.
• in "Manage User Connection" the Connection status = Connected

Are there solutions for what we can do?
thanks, br Anton

[AntonT76]

Hi,

we are now one step closer to a solution. We have discovered that there are differences in two tables for users with login problems: in the table "users", the column "username" does not contain the same value as the table "local_o365_objects", column "o365name".

Example:

• username: [email protected]
• o365name: [email protected]

This was probably caused by manually changing the user IDs in Moodle.

What we have done now? We have just overwritten the value in column "o365name" with the value from "username" for users with login problems. Initial feedback from users with login-problems has been positive, but we will wait and see. This issue is also described in #2331.

What we need to think about is how we will deal with user changes in the future. We will therefore try to test this new function in the o365-plugin (support_upn_change).

br, Anton

[AntonT76]

Hi,

we have tried the new function in Moodle (support_upn_change: https://docs.moodle.org/402/en/Microsoft_365#Support_Microsoft_account_UPN_changes) and we have some questions:

• if support_upn_change is enabled, when will this function be called?
• after renaming of the user in Moodle and Azure AD, are there any other things to do in Moodle like performing a (full) sync, disconnect a user, ...?

thanks, br
Anton

[weilai-irl]

Hi @AntonT76

The support_upn_change feature is not a function that can be called, but a setting to check when (1) performing user sync task, and (2) process user login. The general idea is like this:

• Microsoft user object ID, which is unique value and never changes, is stored in the auth_oidc_token table against a user. Effectively each record in the table is a Microsoft user who has ever successfully authenticated. If the user is linked to a Moodle account already, it will keep the Moodle user ID too. There is a scheduled task to clean up unlinked records in this table.
• The object ID is stored in local_o365_objects table too for linked users (filter by type='user'). The "o365name" column for these records would contain the UPN of the user.
• When a user logs in or user sync task is run, Moodle will try to find the Microsoft user in auth_oidc_token and local_o365_objects tables using object ID first, and if records are found, it will try to compare the UPN received with stored UPN. If they match, then log the user in; otherwise, the action will depend on whether the "support_upn_change" feature is enabled. If the feature is enabled, it will try to update (1) Moodle username, (2) auth_oidc_token table record, and (3) local_o365_objects records; if the feature is disabled, it will simply show a message saying UPN might have been changed and contact site admin. There are a few more detailed scenarios, which are in the setting description.

So the idea is, if this feature is enabled and the Microsoft UPN is changed, providing there's no potential conflict (e.g. the new username of Microsoft account is already taken by another Moodle user), then either the user sync task or the next user login will automatically update the Moodle account, and allow the user to login smoothly, without any other action by any party.

Note there is a known issue with manually mapped users, whose details shouldn't be updated. A fix to it will be included in the next release, which will hopefully happen next week.

Hope this clarifies things a bit.

Regards,
Lai

[AntonT76]

Dear @weilai-irl

thank you for this detailed information. Now the process is clear. But just a question to the process of renaming the user. We currently have two procedures to change the username:

Procedure A: user exists in Moodle according to daily user sync AND user has logged-in already in Moodle

• Moodle:
  • Open "local_o365 | userconnections" - Manage User Connections: disconnect user
  • edit profile of user, change username to new one
  • change auth method to "OpenID Connect"
• Azure: change username to new one (I don't know how this is done because it is done by our Azure Admins)
• Ready: User can login with new account

Procedure B: User exists in Moodle according to daily user sync, BUT has NOT yet logged-in in Moodle

• Moodle:
  • edit profile of user, change auth method to "manual accounts"
  • change username to new one
  • change auth method to "OpenID Connect"
• Azure: change username to new one
• Ready: User can login with new account

According to your description and the new option "support_upn_change", procedure A is now:

• Moodle: activate "support_upn_change"
• Azure: change username to new one
• Ready: User can login with new account

And procedure B should be the same? Or are these the problems with "manually mapped users" which you mentioned?

thanks, br Anton