Best Practices for Handling Email Changes in ISC Tenant

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi everyone,

We’re currently evaluating the challenges involved in implementing email address changes within our ISC tenant.

While we’re comfortable with the technical side of provisioning these changes to Active Directory (BPR to ensure the uniqueness of newly generated email addresses, UPNs, and proxyAddresses), as well as updating other ISC-connected applications, our main concern is around the potential impact on end-user access, particularly to non ISC connected applications that rely on these attributes for conectivity.

We’re interested in learning about any best practices recommended by the community when managing such changes, especially around minimizing disruption to users and ensuring a smooth transition across integrated systems.

Thanks in advance for your insights!

2 Likes
2

Hey Austin!

Welcome to the developer community.

It sounds like your team has a great start. Some initial best practices I would be thinking about, were I in your position:

  • Staged rollouts: Consider updating a small group of users first to monitor impact before scaling.

  • Communication plans: Notify users in advance about the change, especially if it affects login credentials or email routing.

  • Alias retention: Where possible, retain old email addresses as aliases (proxyAddresses) to avoid disruption.

  • Audit dependencies: Identify all systems (especially legacy or third-party apps) that rely on email or UPN and validate how they handle changes.

  • Post-change monitoring: Set up alerts or reports to catch any access failures or sync issues early.

Happy to dive deeper if you’re looking at specific systems or use cases. Let me know!

3

Hi @ama1 ,

For Technical Implementation:

  1. Use Business Process Rules (BPR) for email uniqueness validation rather than transforms. This allows real-time validation during provisioning.

  2. Configure Attribute Synchronization properly:

    • Go to Admin > Connections > Sources > [Your AD Source] > Account Management > Attribute Sync

    • Enable sync for mail, proxyAddresses, and userPrincipalName attributes

  3. Implement ProxyAddresses Strategy:

    • Always preserve old email as alias: smtp:old.email@domain.com

    • Set new email as primary: SMTP:new.email@domain.com

For Minimizing User Disruption:

  1. Maintain Email Aliases: Keep old email addresses active as aliases indefinitely for legacy application support

  2. Staged Rollout: Implement changes in phases rather than bulk updates

  3. Clear Communication: Notify users well in advance with impact timelines

For Non-ISC Connected Applications:

  • Create an application inventory to identify systems using email for authentication

  • Coordinate with application owners for manual updates where needed

  • Consider implementing a grace period where both emails remain active

Key Documentation References:

Hope this helps!