none
AADconnect configuration change RRS feed

  • Question

  • We are using AAD Connect to sync accounts from on prem AD to Azure (O365 E3).  

     

    When we set it up we chose a UPN instead of our email address to sync to Azure. 

     

    Our current username is in the formant username@xyz.com

     

    We like to use firstname.surname@xyz.com

     

    How can we change on AADConnect and how do we update our existing users who are already on Azure AD.


    HP

    Thursday, June 22, 2017 3:21 PM

All replies

  • Hi,

    i agree with @Slava.

    I would also preferr to change the onPrem UPN to match the mail address. Using the mail Attribute is also called "alternate Login-id" which causes issues and limitation on some O365 scenarios.

    But if you switch to mail attribute you need to also modify your ADFS if you are using it.

    Check "Alternate Login id" topics on search and you will find a lot of Information that helps you decide if this is your way.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, June 22, 2017 7:14 PM
  • So your suggestion is to change it on AD. we have over 3000 account and it thought AADConnect can be configured to translate to firstname.lastname@xyz.com.


    HP

    Thursday, June 22, 2017 9:06 PM
  • Hi,

    you can do it with AADC if you want, either by reinstall AADC and switch to mail as logon attribute, AADC will reconnect the existing account by using the objectGUID/ImmutableID and change the logonname on the next sync.

    Or you can find and modify the attribute flow for UPN to logonname within the Sync Rule Editor.

    The question is if this is the best way for you (not the easiest), one benefit of changing the UPN in onPrem AD is that you stick with the default installation of AADC and also users will have the same loginname onPrem and ind AAD.

    The only impact you have is that users need to know the change is comming and use their mail also for onPrem login where they used UPN before (no change on samaccountname). So just some communication.

    You can change the UPN by a simple PowerShell for all the 3000 account, just copy over the mail attribute to UPN.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Friday, June 23, 2017 6:19 AM