diff --git a/internal/directory/azure/api.go b/internal/directory/azure/api.go
index 5a6e7f91a..6c112a002 100644
--- a/internal/directory/azure/api.go
+++ b/internal/directory/azure/api.go
@@ -31,15 +31,17 @@ func (obj apiUser) getEmail() string {
 
 	// AD often doesn't have the email address returned, but we can parse it from the UPN
 
-	// UPN looks like:
+	// UPN looks like either:
 	// cdoxsey_pomerium.com#EXT#@cdoxseypomerium.onmicrosoft.com
+	// cdoxsey@pomerium.com
 	email := obj.UserPrincipalName
 	if idx := strings.Index(email, "#EXT"); idx > 0 {
 		email = email[:idx]
-	}
-	// find the last _ and replace it with @
-	if idx := strings.LastIndex(email, "_"); idx > 0 {
-		email = email[:idx] + "@" + email[idx+1:]
+
+		// find the last _ and replace it with @
+		if idx := strings.LastIndex(email, "_"); idx > 0 {
+			email = email[:idx] + "@" + email[idx+1:]
+		}
 	}
 	return email
 }
diff --git a/internal/directory/azure/azure_test.go b/internal/directory/azure/azure_test.go
index f9b7a3c6a..c456a1eb0 100644
--- a/internal/directory/azure/azure_test.go
+++ b/internal/directory/azure/azure_test.go
@@ -62,6 +62,7 @@ func newMockAPI(t *testing.T, srv *httptest.Server) http.Handler {
 						"members@delta": []M{
 							{"@odata.type": "#microsoft.graph.user", "id": "user-2"},
 							{"@odata.type": "#microsoft.graph.user", "id": "user-3"},
+							{"@odata.type": "#microsoft.graph.user", "id": "user-4"},
 						},
 					},
 				},
@@ -73,6 +74,7 @@ func newMockAPI(t *testing.T, srv *httptest.Server) http.Handler {
 					{"id": "user-1", "displayName": "User 1", "mail": "user1@example.com"},
 					{"id": "user-2", "displayName": "User 2", "mail": "user2@example.com"},
 					{"id": "user-3", "displayName": "User 3", "userPrincipalName": "user3_example.com#EXT#@user3example.onmicrosoft.com"},
+					{"id": "user-4", "displayName": "User 4", "userPrincipalName": "user4@example.com"},
 				},
 			})
 		})
@@ -186,6 +188,12 @@ func TestProvider_UserGroups(t *testing.T) {
 			DisplayName: "User 3",
 			Email:       "user3@example.com",
 		},
+		{
+			Id:          "user-4",
+			GroupIds:    []string{"test"},
+			DisplayName: "User 4",
+			Email:       "user4@example.com",
+		},
 	}, users)
 	testutil.AssertProtoJSONEqual(t, `[
 		{ "id": "admin", "name": "Admin Group" },