Administrator - SSO Login Issues (UPN vs Email Address)

In this article, you will learn:

• Why some users are unable to log in with SSO

• What a UPN is and how it differs from a regular email address

• How to resolve login issues caused by mismatched UPNs

Why are some users unable to log in with SSO?

Because the email stored in Q7Leader does not match the user’s UPN (User Principal Name) in your identity system (e.g., Entra ID / Azure AD).

The UPN is what SSO uses to authenticate. If it differs from the “normal” email address, the login will fail.

What is a UPN?

A UPN looks like an email address but is mainly used for login.

It can differ from the email address people use to send/receive mail every day, and it can appear differently for multiple people.

This is normal for evolving companies (e.g., transitioning to .com email addresses, M&A scenarios, etc.).

Example:

• Email structure that works for the entire company: firstname.lastname@company.com
• UPN used for SSO for some people in the organisation historically: flastname@company.com

How to fix this? 

• Option 1 — Use the UPN as the email in Q7Leader (most common & easiest)

If the UPN is also a functional email address (it receives emails), you can simply update the user in Q7Leader to use their UPN.

Example:
A user cannot log in.
-In Q7Leader, they are registered as: firstname.lastname@company.com

-But their UPN in Azure is: flastname@company.com

To fix this, update their Q7Leader email to flastname@company.com (the UPN). After this, SSO works immediately.

You can update all affected users at once with a CSV import.

• Option 2 — Change all UPNs to a standard format

This is often only used when the organisation plans a larger clean-up (e.g., moving everyone to firstname.lastname@company.com).

This affects how people log in to laptops and other applications, so it’s rarely chosen solely for Q7Leader.