{"id":1734,"date":"2022-09-12T01:00:00","date_gmt":"2022-09-12T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/update-user-principal-names-of-azure-active-directory-synced-users-automatically\/"},"modified":"2024-11-05T07:37:19","modified_gmt":"2024-11-05T07:37:19","slug":"update-user-principal-names-of-azure-active-directory-synced-users-automatically","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/cloud-and-modern-data-center\/update-user-principal-names-of-azure-active-directory-synced-users-automatically\/","title":{"rendered":"Update User Principal Names of Azure Active Directory Synced Users Automatically"},"content":{"rendered":"\n<style>\n.letterul {\nlist-style:lower-alpha;\n}\n.letterolnone {\nlist-style-type:none;\n}\n<\/style>\n\n\n\n<p>Hey guys, I\u2019m back with a short blog about some useful settings in Office 365 hybrid identity configuration.&nbsp; Changing the User Principal Name (UPN) of your users isn\u2019t a daily occurrence, however, it is often needed in times such as company acquisitions, divestures, rebranding initiatives etc.&nbsp; Since we always want corporate identities to have a matching primary email address and UPN whenever possible, these circumstances require the change of both the email addresses and UPNs for the affected users.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changing attributes of synced users.<\/h2>\n\n\n\n<p>When identities are synchronized between on-premises Active Directory (AD) and Azure Active Directory (AAD) using the Azure AD Connect synchronization engine, changing attributes in both directories is simply a matter of changing the attributes in AD which will be reflected in AAD after the next synchronization cycle. This is true of email addresses but not necessarily of the UPN.&nbsp; There are a few cases where you may be disappointed to see that your UPN changes are not reflected in AAD:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The users are changing from one federated domain to another federated domain. There is no direct path to change a user\u2019s UPN in this scenario.&nbsp; Changing the UPN of a user from one federated domain to another is not supported. &nbsp;The best approach is to: <ul><li>Change the user\u2019s UPN to a non-verified domain (meaning a domain not verified in your AAD tenant, for instance, a .local domain, even if you have to add the additional UPN suffix in AD Domains and Trusts just for this purpose)<\/li><li>Start a full synchronization of AD Connect with the command \u201cStart-ADSyncSyncCycle -PolicyType Initial\u201d \u2013 this will make the user get a tenant.onmicrosoft.com address in AAD since the domain suffix is not verified<\/li><li>Change the user\u2019s UPN to the new federated domain in AD<\/li><li>Start a full synchronization of AD Connect with the command \u201cStart-ADSyncSyncCycle -PolicyType Initial\u201d \u2013 this will set the user to the federated domain. <\/li><\/ul><\/li><li>Assuming you are using managed domains, you may have an older tenant and the [now] default Azure AD Connect sync service features are not in place.<\/li><\/ul>\n\n\n\n<p>So, here\u2019s the story with scenario 2: You change the UPN of a user in AD to a managed domain and wait for synchronization to occur only to realize that the UPN didn\u2019t change.&nbsp; The next step you should take is to open PowerShell, connect to the MSonline module and run this command Get-MsolDirSyncFeatures.&nbsp; If you see the output&nbsp;<em>SynchronizeUpnForManagedUsers<\/em>&nbsp;set for&nbsp;<em>$False,<\/em>&nbsp;then you found the culprit!<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/6\/2021\/02\/neilhoffman_blog5_img_1.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Back story\u2026<\/h2>\n\n\n\n<p>A few years ago, no UPN changes were synced from AD to AAD with AAD Connect \/ AAD Sync \/ Dirsync \/ (insert-historical-name-of-this-product-here).<\/p>\n\n\n\n<p>If you wanted to change a UPN, you would change it in AD, run a sync then have to manually change it in AAD by running the MSonline command \u201cSet-MsolUserPrincipalName\u201d to change the AAD UPN.&nbsp; This always seemed counter intuitive to me since almost all other attributes were synced.&nbsp; Newer tenants no longer require this second step, the UPN change is fully synced.&nbsp; The issue occurs when some older tenants that existed before these changes were implemented don\u2019t have this setting in place.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">So how do I fix it?<\/h2>\n\n\n\n<p>The fix is simple. Just update this setting with this command \u201cSet-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True\u201d.<\/p>\n\n\n\n<p>Going forward, your UPN updates will get synced from AD to AAD.&nbsp; However, there is one caveat \u2013 enabling this feature won\u2019t retroactively search through your users and update any UPNs which don\u2019t match; it will only sync users whose UPNs are changed&nbsp;<strong>after<\/strong>&nbsp;this setting is configured.&nbsp; So again, you have 2 options:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Perform the following actions: <ul><li>Flip the UPNs back to what they were original.<\/li><li>Start a full synchronization of AD Connect with the command <ul class=\"letterolnone\"><li>Start-ADSyncSyncCycle -PolicyType Initial<\/li><\/ul><\/li><li>Change this setting to $True with the command<ul class=\"letterolnone\"><li>Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True<\/li><\/ul><\/li><li>Flip the UPNs to what they are supposed to be.<\/li><li>Start a full synchronization of AD Connect with the command<ul class=\"letterolnone\"><li>Start-ADSyncSyncCycle -PolicyType Initial<\/li><\/ul><\/li><\/ul><\/li><\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\"><li>Wait until your next round of UPN changes to test this feature and for this time just use the command<br>\u201cSet-MsolUserPrincipalName -UserPrincipalName &lt;OldUPN&gt; -NewUserPrincipalName &lt;NewUPN&gt;&nbsp;to change the Azure AD UPN\u2019s to match the new AD UPN.<\/li><\/ol>\n\n\n\n<p>In this blog, we reviewed the various methods to sync your UPNs from AD to Azure AD or troubleshoot why updates may not be syncing.&nbsp; Feel free to <a href=\"https:\/\/www.insentragroup.com\/au\/contact\/\">contact us<\/a> if you have any questions!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hey guys, I\u2019m back with a short blog about some useful settings in Office 365 hybrid identity configuration.&nbsp; Changing the User Principal Name (UPN) of your users isn\u2019t a daily occurrence, however, it is often needed in times such as company acquisitions, divestures, rebranding initiatives etc.&nbsp; Since we always want corporate identities to have a&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/cloud-and-modern-data-center\/update-user-principal-names-of-azure-active-directory-synced-users-automatically\/\">Continue reading <span class=\"screen-reader-text\">Update User Principal Names of Azure Active Directory Synced Users Automatically<\/span><\/a><\/p>\n","protected":false},"author":91,"featured_media":6854,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-1734","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-and-modern-data-center","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1734","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/comments?post=1734"}],"version-history":[{"count":5,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1734\/revisions"}],"predecessor-version":[{"id":14688,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1734\/revisions\/14688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media\/6854"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media?parent=1734"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/categories?post=1734"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/tags?post=1734"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}