In this post I want to document the process to make changes to a user’s UPN value when synchronising a federated domain from an on-premises Active Directory to Azure Active Directory used by Office 365.
You want to update the user principal name (UPN) of an on-premises Active Directory Domain Services (AD DS) user account. However, directory synchronisation doesn’t propagate the change from one federated domain directly to another federated domain for a user ID in a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune.
Changes to UPN values are not replicated by default as the technical implications can create issues for end-users. Therefore the only way to make the change is via PowerShell.
Firstly the system you intend to execute the PowerShell commands from needs some pre-requisites.
Download and install the following in this order – these downloads assume you are using a 64-bit server or management workstation:
- Microsoft Online Services Sign-In Assistant for IT Professionals RTW (x64) – www.microsoft.com/…/details.aspx
- Manage Windows Azure Active Directory by using Windows PowerShell (x64) – http://technet.microsoft.com/library/jj151815.aspx
- Now open Windows Azure Active Directory Module for Windows PowerShell from the start menu or desktop, be sure to ‘Run as Administrator’.
- Next, we need to open a new management session with Azure AD; to do this run the following command:
- When challenged for credentials, enter an account that has Global Administrator permissions to the tenant that you plan to change UPN values for.
- Now that youare connected to the cloud tenant, use the following command to update a user’sUPN value:
Set-MsolUserPrincipalName -UserPrincipalName email@example.com -NewUserPrincipalName firstname.lastname@example.org
Hope this helps others who might be stuck with this same problem when using the DirSync tool to mirror and on-premises Active Directory with Azure Active Directory.
Reference used to write this post: