Cloud UPNs for AAD Connect users with Alt-ID don’t update after domain verified in tenant

Cloud UPNs for AAD Connect users with Alt-ID don’t update after domain verified in tenant

  •  
  •  
  •  
  •  
  •  
  •  

A few weeks ago, I ran into an issue with a customer.  Scenario:

  • Customer had configured alternate-id sign in with AAD Connect (the gist is that it flows on-premises mail to cloud UPN)
  • Synced identity to tenant
  • Tenant did not have any verified domains

As expected, without a matching verified domain in the tenant, UPN suffixes in the tenant were actually set as @tenant.onmicrosoft.com.  After adding the correct verified domain to the tenant, we forced a sync, but nothing updated (unexpected, but also not, since ‘nothing had changed’ on the on-premises side to force an update.  Newly provisioned identities worked as expected, so the configuration was correct.

So, the next step was to clear the AD and AAD connector spaces and re-run an initial sync–and that also did not solve the problem.  At this point, the only 3 options left were:

  • Delete all of the objects in the tenant and re-synchronize
  • Update all of the user UPN suffixes on-premises to the correct suffix (alt-id had specifically been selected to avoid that)
  • Update all of the user UPN suffixes in-cloud to the value stored as the PrimarySmtpAddress

All of the objects showed as “synced,” and had immutable IDs.  Given that they did have some people already using the service, they didn’t want to start deleting the nearly 10,000 identities synchronized to the tenant.  So they opted for door number three.

An overview of the process:

  1. Connect to Exchange Online PowerShell.
  2. Export a list of users in the tenant to a CSV.
  3. Loop through the users, locating the PrimarySmtpAddress value in the proxyAddresses array (-cmatch “SMTP:”, as capitalized SMTP indicates the primary address), and then setting it as the UserPrincipalName.
$tenant = (Get-msolaccountsku)[0].AccountSkuId.Split(":")[0]+".onmicrosoft.com"
[array]$Users = get-msoluser -All -Synchronized -DomainName $tenant | select DisplayName, UserPrincipalName, LastDirSyncTime, ImmutableID, ProxyAddresses | ? { $_.ProxyAddresses -notmatch 'SMTP:\S*@fc0365.onmicrosoft.com$' }
$Users | Export-Csv .\users.csv -Force -NoTypeInformation
[int]$i = 1
[int]$iCount = $Users.Count
foreach ($User in $Users)
{
      $OldUPN = $User.UserPrincipalName
      $NewUPN = ($User.ProxyAddresses -cmatch "SMTP:")[0].Substring(5)
      Write-Progress -Activity "Updating $($User.DisplayName) from $($OldUPN) to $($NewUPN)" -PercentComplete (($i / $iCount) * 100) -Id 1
      Set-MsolUserPrincipalName -UserPrincipalName $OldUPN -NewUserPrincipalName $NewUpn
      $i++
}

After the update, everyone could log in using the expected UPNs.

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.