Update User Principal Names of Azure Active Directory Synced Users Automatically

Hey guys, I’m back with a short blog about some useful settings in Office 365 hybrid identity configuration.  Changing the User Principal Name (UPN) of your users isn’t a daily occurrence, however, it is often needed in times such as company acquisitions, divestures, rebranding initiatives etc.  Since we always want corporate identities to have a matching primary email address and UPN whenever possible, these circumstances require the change of both the email addresses and UPNs for the affected users.

Changing attributes of synced users.

When identities are synchronized between on-premises Active Directory (AD) and Azure Active Directory (AAD) using the Azure AD Connect synchronization engine, changing attributes in both directories is simply a matter of changing the attributes in AD which will be reflected in AAD after the next synchronization cycle. This is true of email addresses but not necessarily of the UPN.  There are a few cases where you may be disappointed to see that your UPN changes are not reflected in AAD:

  1. Users are changing from one federated domain to another federated domain. There is no direct path to change a user’s UPN in this scenario.  Changing the UPN of a user from one federated domain to another is not supported.  The best approach is to:
    1. Change the user’s UPN to a non-verified domain (meaning a domain not verified in your AAD tenant, for instance, a .local domain, even if you have to add the additional UPN suffix in AD Domains and Trusts just for this purpose)
    2. Start a full synchronization of AD Connect with the command “Start-ADSyncSyncCycle -PolicyType Initial” – this will make the user get a tenant.onmicrosoft.com address in AAD since the domain suffix is not verified
    3. Change the user’s UPN to the new federated domain in AD
    4. Start a full synchronization of AD Connect with the command “Start-ADSyncSyncCycle -PolicyType Initial” – this will set the user to the federated domain.
  2. Assuming you are using managed domains, you may have an older tenant and the [now] default Azure AD Connect sync service features are not in place.

So, here’s the story with scenario 2: You change the UPN of a user in AD to a managed domain and wait for synchronization to occur only to realize that the UPN didn’t change.  The next step you should take is to open PowerShell, connect to the MSonline module and run this command Get-MsolDirSyncFeatures.  If you see the output SynchronizeUpnForManagedUsers set for $False, then you found the culprit!

So how do I fix it?

Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True

Going forward, your UPN updates will get synced from AD to AAD.  However, there is one caveat – enabling this feature won’t retroactively search through your users and update any UPNs which don’t match; it will only sync users whose UPNs are changed after this setting is configured.  So again, you have 2 options:

  1. Perform the following actions:
    1. Flip the UPNs back to what they were original.
    2. Start a full synchronization of AD Connect with the command

Start-ADSyncSyncCycle -PolicyType Initial

  1. Change this setting to $True with the command

Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True

  1. Flip the UPNs to what they are supposed to be.
  2. Start a full synchronization of AD Connect with the command

Start-ADSyncSyncCycle -PolicyType Initial

  1. Wait until your next round of UPN changes to test this feature and for this time just use the command

Set-MsolUserPrincipalName -UserPrincipalName <OldUPN> -NewUserPrincipalName <NewUPN>

In this blog, we reviewed the various methods to sync your UPNs from AD to Azure AD or troubleshoot why updates may not be syncing.  Feel free to reach out if you have any questions!

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Cloud and Modern Data Center]

Azure Resource Groups – Preventing Accidental Deletion with Resource Locks

By [Richard Young]

Did you know that when you delete an Azure Resource Group, it deletes all the resources in that group?

[Cloud and Modern Data Center]

How to Move to the Cloud

Previously we explored the question of “why the cloud”, discussing the high level benefits as being Agility, Productivity and Cost Reduction and the things that influence what can be moved to the cloud. This time we will look at the key business considerations in “how” to move to the cloud.