So we were creating users in AD, and we had a typo in the rule that sets
the UPN Name value. Should have been acmeUser.domain.com (singular) but
we had it setting it to acmeUsers.domain.com (Plural).

Oopsey.

No big deal to fix, I wrote a rule that reads back all users with an AD
DirXML-Association value (actually I cheat and use the entitlement
attribute we use, but it is the difference of one test), query into AD
to get back the SAMAccountname and UPNNAME (Since we also have issues
with the values of the SAMAccountName) and then report on the users with
bad values, and fix them as needed.

Ok, so we reported on it, and found THOUSANDS of users with errors... I
thought it was just a few dozen. Major oopsey, I suppose.

So what are the consequences to a typo in an AD userPrincipalName
attribute? I figured it would be a big enough deal that we might have
actually noticed? But we did not notice... So what the heck is it used
for anyway? I know you can login with it as your name, basically a
Context based login for AD, but what else might matter?