In Active Directory, users and services can sign in using their pre-Windows 2000 logon name (the value of the sAMAccountName attribute) or their Kerberos user principal name (the value of the userPrincipalName attribute). As Kerberos relies heavily on DNS, the user principal name features an userPrincipalName suffix, in the form of a DNS domain name.

These userPrincipalName suffixes can be added to the list of available UPN suffixes for each Active Directory forest.

To make the most of UPN suffixes, make sure that you have an overview of the domain names and the publicly registered domain names for the organization.

UPN suffixes can be managed using Active Directory Domains and Trusts.

To do so, perform the following steps:

1. Open Active Directory Domains and Trusts (domain.msc).
2. Right-click Active Directory Domains and Trusts in the left navigation pane, and select Properties from the context menu:

3. Type the new UPN suffix that you would like to add to the Active Directory forest, select the UPN suffix that you would like to remove, or simply glance over the list of UPN suffixes.
4. Click Add or Remove, and then click OK.

Both userPrincipalName and pre-Windows 2000 logon names can be used to sign in interactively to Windows. Windows' sign-in screen can handle both. However, in cloud scenarios, the userPrincipalName suffix is used, by default.

An admin cannot assign a non-existing userPrincipalName suffix. However, when a UPN suffix is assigned to one or more accounts, there's no alert that mentions this when you remove a UPN suffix.