We encountered an issue using the approve/deny assurance level for 2 factor into Office365. We have some users because of an error on the user account creators part, who had a name change and their email name is different then their UPN. They can use the MFA app tokencode fine to log into our VPN, but when they try to log into Office365 using the Approve/Deny it gives them a login failure. We think its because of the difference in their UPN versus email address. Might this be the issue and if so can we map to the UPN instead of the email?