A new user is created in VIP Manager using the userPrincipalName attribute from Azure during an MFA login using the Azure conditional access flow.
(Source: VIP Azure integration guide)
The Azure UserPrincipalName (UPN) attribute value is required by Azure\O365 as the username.
When Symantec VIP MFA is integrated:
In VIP Manager > Policies > Azure, the User ID Attribute can be adjusted to match the existing User ID in VIP Manager. When VIP receives the UPN as the username in an MFA request, the User ID Attribute for that user is fetched from Azure AD and uses this value as the VIP User ID.
For example, if the VIP Enterprise Gateway is sending 'samAccountName' as the VIP User Name Attribute...
...adjust the VIP Azure settings to send the Azure AD attribute that matches. In many cases, this is either mailNickName or onPremiseSamAccountName.
Alternatively, change the VIP User Name Attribute on your VIP Enterprise Gateway(s) to send the UserPrincipalName.
Important: This change won't affect the end-user login experience or their login ID. Only the VIP User ID mapping between your VIP EG↔VIP tenant or the VIP Conditional Access for Azure↔VIP tenant is changing to ensure that each user has a single VIP User ID regardless of the application they are logging into.