Unique Emails

Directory Sync requires directory user emails to be unique among active users within a directory. If an identity provider tries to provision or update a directory user with an email that another active user in the same directory already has, that request is declined and the affected user won’t sync until the conflict is resolved. This is scoped per directory; the same email can still exist in different directories.

Only active users count toward uniqueness. Deactivating a duplicate record in the identity provider immediately frees its email for the active user that should hold it.

Unique emails make user resolution predictable. When each active user in a directory has a distinct email, AuthKit, just-in-time provisioning, and your own application can reliably resolve a person by their email address. This keeps downstream authentication and account-linking behavior consistent for your users.

Email conflicts originate in your customers’ identity providers, so the fixes are IT admin actions. Share this guidance with the affected admins to keep directories syncing cleanly.

• Keep the username a stable field. The SCIM username should map to a value that doesn’t change for a person, such as their email. If you need to change how usernames are generated, de-provision the affected users first and re-provision them under the new username. Changing it on a live directory makes each person look like a new user and creates duplicates.
• Genuinely distinct identities need distinct emails. Give each identity its own email address. For service or secondary accounts that don’t need to sync, exclude them from the provisioning application instead. And on rehire, deactivate the prior record before re-provisioning so only one active record holds the email.