When you run the Microsoft Azure Active Directory Sync tool, you notice that the user name of a user in Office 365, Microsoft Azure, or Microsoft Intune doesn't match the user's on-premises user principal name (UPN) or alternate login ID. The UPN or alternate login ID could be the user's user name, email address, or some other attribute.
There are three possible causes of this issue:
- Your company domain is not yet verified. The domain of the on-premises UPN or alternate login ID is a domain that's not yet verified in Azure Active Directory (Azure AD).
- The user in Azure AD is not federated and was assigned a license.
- The domain suffix of the UPN or alternate login ID has changed from one federated domain to another federated domain.
Scenario 1: Your company domain is not yet verifiedMake sure that the domain suffix of the UPN or alternate login ID is verified in Azure AD. If you sync users before you verify the domain, the user name of the user is changed accordingly.
How to determine the domain suffix for a UPNOn a domain controller or on a computer on which the Windows Server Administration Toolkit is installed, follow these steps:
- Open Active Directory Users and Computers. To do this, click Start, click Run, type dsa.msc, and then click OK.
- Right-click the domain, and then click Find.
- In the Name box, type the user's display name, and then click Find Now.
- Double-click the user name in the search results, and then click the Account tab.
- Under User logon name, note the domain part of user logon name. This is known as the UPN suffix.
How to determine the domain suffix for an alternate login IDOn a domain controller or on a computer on which the Windows Server Administration Toolkit is installed, you can use Active Directory Service Interfaces Editor (ADSI Edit) to determine the domain suffix for an alternate login ID. To learn more about how to do this, see Using ADSI Edit to Edit Active Directory Attributes.
Note If the domain suffix isn't a registered domain, you must either register the domain by using a domain registrar or change the domain suffix of the user to a domain that's registered. This domain suffix must be registered by using a domain registrar before you can verify the domain in Azure AD.
Scenario 2: The user has a licenseIn this scenario, the UPN is not synchronized if the user has a license assigned to them. This scenario should apply to you only if you enabled directory synchronization for the first time before June 15, 2015.
Historically, all updates to the UPN through sync were blocked if the user was managed (non-federated) and was assigned a license.
To update the UPN of a user who was assigned a license, follow these steps:
- Start the Azure Active Directory Module for Windows PowerShell, and then connect to Azure AD. For more information about how to do this, go to the following Microsoft website:
- Run the following Windows PowerShell cmdlet:
Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True
Scenario 3: The domain suffix of the UPN or alternate login ID changed from one federated domain to another federated domainFollow the steps in the following Microsoft Knowledge Base article:
2669550 Changes aren't synced by the Azure Active Directory Sync tool after you change the UPN of a user account to use a different federated domain
The Windows PowerShell commands in this article require the Azure Active Directory Module for Windows PowerShell. For more information, go to the following Microsoft website:
2643629 One or more objects don't sync when using the Azure Active Directory Sync tool