United States | Update User Principal Names of Azure Active Directory Synced Users Automatically

Neil Hoffman - 12.09.2022

Update User Principal Names of Azure Active Directory Synced Users Automatically

United States | Update User Principal Names of Azure Active Directory Synced Users Automatically

Hey guys, I’m back with a short blog about some useful settings in Office 365 hybrid identity configuration.  Changing the User Principal Name (UPN) of your users isn’t a daily occurrence, however, it is often needed in times such as company acquisitions, divestures, rebranding initiatives etc.  Since we always want corporate identities to have a matching primary email address and UPN whenever possible, these circumstances require the change of both the email addresses and UPNs for the affected users.

Changing attributes of synced users.

When identities are synchronized between on-premises Active Directory (AD) and Azure Active Directory (AAD) using the Azure AD Connect synchronization engine, changing attributes in both directories is simply a matter of changing the attributes in AD which will be reflected in AAD after the next synchronization cycle. This is true of email addresses but not necessarily of the UPN.  There are a few cases where you may be disappointed to see that your UPN changes are not reflected in AAD:

  • The users are changing from one federated domain to another federated domain. There is no direct path to change a user’s UPN in this scenario.  Changing the UPN of a user from one federated domain to another is not supported.  The best approach is to:
    • Change the user’s UPN to a non-verified domain (meaning a domain not verified in your AAD tenant, for instance, a .local domain, even if you have to add the additional UPN suffix in AD Domains and Trusts just for this purpose)
    • Start a full synchronization of AD Connect with the command “Start-ADSyncSyncCycle -PolicyType Initial” – this will make the user get a tenant.onmicrosoft.com address in AAD since the domain suffix is not verified
    • Change the user’s UPN to the new federated domain in AD
    • Start a full synchronization of AD Connect with the command “Start-ADSyncSyncCycle -PolicyType Initial” – this will set the user to the federated domain.
  • Assuming you are using managed domains, you may have an older tenant and the [now] default Azure AD Connect sync service features are not in place.

So, here’s the story with scenario 2: You change the UPN of a user in AD to a managed domain and wait for synchronization to occur only to realize that the UPN didn’t change.  The next step you should take is to open PowerShell, connect to the MSonline module and run this command Get-MsolDirSyncFeatures.  If you see the output SynchronizeUpnForManagedUsers set for $False, then you found the culprit!

United States | Update User Principal Names of Azure Active Directory Synced Users Automatically

Back story…

A few years ago, no UPN changes were synced from AD to AAD with AAD Connect / AAD Sync / Dirsync / (insert-historical-name-of-this-product-here).

If you wanted to change a UPN, you would change it in AD, run a sync then have to manually change it in AAD by running the MSonline command “Set-MsolUserPrincipalName” to change the AAD UPN.  This always seemed counter intuitive to me since almost all other attributes were synced.  Newer tenants no longer require this second step, the UPN change is fully synced.  The issue occurs when some older tenants that existed before these changes were implemented don’t have this setting in place.

So how do I fix it?

The fix is simple. Just update this setting with this command “Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True”.

Going forward, your UPN updates will get synced from AD to AAD.  However, there is one caveat – enabling this feature won’t retroactively search through your users and update any UPNs which don’t match; it will only sync users whose UPNs are changed after this setting is configured.  So again, you have 2 options:

  1. Perform the following actions:
    • Flip the UPNs back to what they were original.
    • Start a full synchronization of AD Connect with the command
      • Start-ADSyncSyncCycle -PolicyType Initial
    • Change this setting to $True with the command
      • Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True
    • Flip the UPNs to what they are supposed to be.
    • Start a full synchronization of AD Connect with the command
      • Start-ADSyncSyncCycle -PolicyType Initial
  1. Wait until your next round of UPN changes to test this feature and for this time just use the command
    “Set-MsolUserPrincipalName -UserPrincipalName <OldUPN> -NewUserPrincipalName <NewUPN> to change the Azure AD UPN’s to match the new AD UPN.

In this blog, we reviewed the various methods to sync your UPNs from AD to Azure AD or troubleshoot why updates may not be syncing.  Feel free to contact us if you have any questions!

THANK YOU FOR YOUR SUBMISSION!

United States | Update User Principal Names of Azure Active Directory Synced Users Automatically

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United States | Update User Principal Names of Azure Active Directory Synced Users Automatically

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.