When you want to use Microsoft cloud services such as Office 365 and Azure (Microsoft 365). you want to synchronize your on-premises users with Azure AD. However, before synchronizing users, setting up the UPN suffix with cloud domain name is the pre-requisites.
If you currently use a ".local" domain for your user accounts in AD DS, Microsoft recommend that you change them to use a verified domain. For example, billa@contoso.com, in order to properly synchronize with your Microsoft 365 domain.
In this blog, I will go through the how to setting up UPN suffix in the Active Directory before synchronizing the on-premises users with Azure AD.
Note: Settings up Hybrid AD and Configuring Azure AD connector is out of scope.
Add UPN suffixes and update your users:
On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Domains and Trusts.
In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts, and then choose Properties.
On the UPN Suffixes tab, in the Alternative UPN Suffixes box, type your new UPN suffix or suffixes, and then choose Add > Apply.
Choose OK when you're done adding suffixes.
Change the UPN suffix for existing users:
When it comes to changing UPN suffix for existing users, we could either do it using AD users and computers console or on PowerShell. In production environment the most convenient way to do is through PowerShell. However, below I will explain both ways.
Use Active Directory users and computers to change the UPN suffix;
On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Users and Computers.
Select a user, right-click, and then choose Properties.
On the Account tab, in the UPN suffix drop-down list, choose the new UPN suffix, and then choose OK.
Use PowerShell to change the UPN suffix for all of your users:
If you have numerous user accounts to update, it's easier to use PowerShell. In practical environment we have to update the existing users in batch wise and below have creates a PowerShell script to change the UPN suffix for list of users.
#Script Start
<#
Run the script in Active Directory with Run AS Administrator.
Make sure create a .csv file called username.csv
Make sure to include username in the username.csv file. refer image01.
Make sure to locate script and username.csv in the same folder.
Make sure to change the variable $domain to your custom domain name. I have highlighted the variable in my script where you want to change it.
Script can be run on Active Directory server.
Script required Active Directory PowerShell module as a prerequisites if you run in a member server or client and make sure to import it if you doesn't have it already.
#>
$location = Get-Location
Remove-Item -Path "$location\result.csv" -ErrorAction SilentlyContinue
$domain = 'mycloudpros.ca'
$datafile = Import-Csv "$location\Username.csv"
$result = @()
foreach ($listuser in $datafile)
{
$localuser = $listuser.username
#Get-ADUser $localuser | select Name, UserPrincipalName
Get-ADUser -Filter * | Where-Object {$_.Name -eq "$localuser"} | Set-ADUser -UserPrincipalName "$localuser@$domain"
$result += Get-ADUser -Filter * | Where-Object {$_.Name -eq "$localuser"} | select Name, UserPrincipalName
}
$result | Export-Csv $location\result.csv
#Script End
Image01:
Note: Can use below command to list out all AD users with UPN.
Get-ADUser -Filter * | select Name, UserPrincipalName
Note: In case, if you want to do change the UPN suffix for all the AD users in the organization. Run the commands one by one.
$LocalUsers = Get-ADUser -Filter "UserPrincipalName -like '*contoso.local'" -Properties userPrincipalName -ResultSetSize $null
$LocalUsers | foreach {$newUpn = $_.UserPrincipalName.Replace("@contoso.local","@contoso.com"); $_ | Set-ADUser -UserPrincipalName $newUpn}
References: