Share via

AD Connect behavior when removing UPN suffix?

Gregg Hamby 21 Reputation points
2020-06-04T14:08:30.647+00:00

Greetings all. I have a client with an existing O365 tenant which is synced to their local AD. That legacy AD is being migrated to a new one however the UPN suffix on the legacy domain happens to exactlymatch the domain name of the new domain to which everyone will be migrated. Thus, UPN suffix routing in the trust is broken. 

           I would like to remove the UPN suffix from the legacy domain as well as remove that suffix from all users via powershell.  I do not believe this will have any impact on their current use of the legacy domain on premise. However, my concern is that AD Connect was configured to use the UPN as the login for O365 and currently all UPN’s and primary SMTP addresses match and havebeen synced to Azure AD.

           I was hoping to re-install the latest version of AD Connect, stipulate email address as the login name, and perform  a full sync. After which, I would remove the conflicting UPN suffix from AD with the hope that their logins to O365 would be unaffected.

           Has anyone performed a similar operation with positive results? The legacy domain is non-routable hence their need for the UPN suffix in the first place. I’d like to avoid a case where after the UPN suffix is removed the next sync results in either duplicateusers or renamed users with a onmicrosoft.com address.

Thanks in advance for any help offered

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,746 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thierry DEMAN-BARCELO 491 Reputation points MVP
    2020-06-04T21:57:17.927+00:00

    Hi Greg,

    I'm not sure to understand well your problem.

    You have an AD with a local non-routable domain (as domain.local), where you have changed all UPN for users having UPN=MainEMAIL synchronized and used on Office 365. So That is perfect. Where is the conflict?

    As UPN=PrimarySMTPAdddress, why do you want to replace UPN by Email for login in ADConnect? Ideally, they should always be identicals.

    It is sure that changing actual correct UPN in AD will have a bad impact on your ADConnect synchronization and users authentication.
    Modifying ADConnect only to use Email in place of UPN is not a good choice.

    Perhaps have you missed to indicate us some important information that request a specific change!

    Regards,

    0 comments