question

HvidAsgautFalch-7331 avatar image
0 Votes"
HvidAsgautFalch-7331 asked ·

Federating and synchronising verified domain with existing AAD user accounts

We currently have two verified domains in our tenant. One is the primary UPN suffix in our onsite Active Directory and is already synchronised with AAD Connect and federated with ADFS.

Now we want to do the same with the second domain - synchronise and federate - but some users have already been created natively in the cloud using this domain as their UPN suffix.
What will happen to their accounts if we set up synchronisation and enable federation for the second domain using AAD Connect now? Will they automatically be directed to our ADFS for login to Office 365 and other services, where they will no longer have a valid account because they don't exist in our on-premises Active Directory? Or will they still be able to sign in as fully cloud native users, with only users synchronised from our onsite directory being redirected to ADFS for login?

azure-active-directoryadfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @HvidAsgautFalch-7331

In this case, there are 2 things that you would need to keep in mind.

  1. While federating the second custom domain, you would need to use -SupportMultipleDomain switch in the cmdlet.

    Convert-MsolDomainToFederated -DomainName your_domain_name -SupportMultipleDomain

  2. If there are existing cloud users that are using same UPN, there won't be any errors due to Duplicate Attribute Resiliency feature. The UPN for newly synced users will be generated as per below format:

OriginalPrefix + 4DigitNumber @ InitialTenantDomain .onmicrosoft.com

If you want to use the exiting UPN, you would either need to rename or remove the existing cloud accounts before synchronizing the new users with same UPN. Also, the redirection to ADFS will be done on the basis of UPN suffix which means cloud only users will also be redirected to ADFS and won't be able to authenticate in that case. So, the UPN for cloud only users should be either configured to use a custom managed domain or the .onmicrosoft.com domain.

Read more:

Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.





· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HvidAsgautFalch-7331 avatar image
0 Votes"
HvidAsgautFalch-7331 answered ·

Very helpful answer and useful reference articles, thank you very much.
We'll just have to migrate those cloud native users to our onsite Active Directory before federating the UPN, thankfully there aren't too many of them yet.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.