Hello, @Robbin Bosch
In general Atlassian documentation is not very good about what is used and what is not, what's important and what's not.
As @Marc -Devoteam- implied in his answer, if you use Azure AD Sync with nested groups - then the documentation suggests you can choose what is the user identifier in Cloud, UPN or email, and then whatever you've chosen in sync setting should be what IdP sends in the SAML NAME-ID attribute.
https://support.atlassian.com/provisioning-users/docs/set-up-sync-settings/
Despite this, to my knowledge the NAME-ID and UPN don't affect SSO in any way. Atlassian ignores them and uses the email address as the unique identifier in Atlassian Cloud.
If you use SCIM User Provisioning you need to examine the settings on how records are matched. By default Atlassian setup guide incorrectly instructs to use UPN as the matching attributes. Your very question shows why it's incorrect, since in real life UPNs may change. The matching should be set to be done by Object ID – then you can change everything else on a user record and the IdP will happily push the change to Atlassian Cloud, including the UPN change.
So if you are using SCIM and your matching is set by UPN – change it first, run a re-sync, check logs that there are no errors, then you can change the UPN freely.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.