question

64371095 avatar image
0 Votes"
64371095 asked sikumars commented

Azure AD Connect with .local domain

Hello,
I am having trouble synchronizing my Azure AD domain with the on-premise .local domain. I am trying to accomplish this with the Azure AD Connect app. I added UPN suffix to Windows Server that match my onmicrosoft.com domain but it is not visible in part of installation called "Azure AD sign-in" It shows that Active Directory UPN Suffixes are "Not Added" to Azure AD Domain I've seen it should show "Verified". Does somebody know how to fix this issue.

azure-ad-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
1 Vote"
sikumars answered sikumars edited

Hello @Adam-4611,

This behavior is expected because Azure AD Connect only synchronizes users to domains that are verified by Azure AD and you can't use <domainname>.onmicrosoft.com for synchronization.

The domain has to be a valid Internet domain (such as, .com, .org, .net, .us). Therefore, use different name other than onmicrosoft.com for your organization which you can buy it from Domain Name providers (like: GOdaddy).

If you have plan to buy a new domain in later sometime, then no need to add UPN suffixes as onmicrosoft.com and just proceed further by selecting "Continue without matching all UPN suffixes to verified domain" option as show below, so any UPN that contains a non-routable domain, such as ".local" (example: billa@contoso.local), will be synchronized to an .onmicrosoft.com domain (example: billa@contoso.onmicrosoft.com).

114129-image.png

Once you add and verify the domain in Azure AD then you can add same name as UPN suffixes in local AD and update to user that suffix name so that Azure AD connect sync updated all synchronized with new suffix name.

More information: https://docs.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (249.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered

You wouldnt add the onmicrosoft.com domain to on-prem AD. You would add a custom domain that you have verified in Azure, then set that new domain as the UPN suffix for users on-prem:

https://docs.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide#what-if-i-only-have-a-local-on-premises-domain

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

64371095 avatar image
0 Votes"
64371095 answered sikumars commented

Hello,
Thanks for these answers, I got it working. However, I have some questions, will adding UPN suffixes break stuff? For example, we have an external email server outside our domain, email is configured so it has the same domain as my Microsoft Organization AND UPN suffix, so will users connected to the domain still be able to send emails? Also, I have a problem with users that were invited to my organization but now joined it. They have #EXT# inside their UPN so is it possible to change them somehow to be synchronized as well as different users? Or at least create new users and transfer all Office and Teams data to it from these "#EXT#" users.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry for delayed response.

As far as I know, this shouldn't impact existing email functionality, but if users have already synchronized to Azure AD when change users UPN then there some known issues and workarounds. To learn more about, refer Plan and troubleshoot User Principal Name changes in Azure Active Directory

Coming back to your second question, in regards to "#EXT#" users. The supported way would be re-creating Guest users (aka: #EXT# or Invited external users) account as you wont be able to neither modify UPN from #EXT# to new suffix name (New UPN) nor migrate Office and Teams data.

Only supported scenario would change UserType from Guest to UserType = Member , to learn more about properties of an Azure Active Directory B2B collaboration user

Hope this helps


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·