Changes aren't synced by the Azure Active Directory Sync tool after you change the UPN of a user account to use a different federated domain

Applies to: Cloud Services (Web roles/Worker roles)Microsoft IntuneAzure Backup More

PROBLEM


You update the user principal name (UPN) of an on-premises Active Directory Domain Services (AD DS) user account to use a different federated domain. However, directory synchronization doesn't propagate the change from one federated domain directly to another federated domain for a user ID in a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune.

When the user object is being synced to the cloud service, you receive the following error message in the synchronization error report:
Unable to update this object in Microsoft Online Services, because the attribute FederatedUser.UserPrincipalName is not valid. Update the value in your local Active Directory

CAUSE


This problem occurs because the service doesn't allow you to change the federated domain suffix of a user to a different federated domain suffix.

WORKAROUND


To work around this problem, use one of the following methods.

Method 1

  1. Install the Azure Active Directory V2 PowerShell module. To do this, see https://www.powershellgallery.com/packages/AzureAD/2.0.0.71.
  2. Run the following commands, and press Enter after each command:
    Connect-AzureAD
    Note After you enter this command, you're prompted to enter your administrative credentials.
     
    Set-AzureADUser -ObjectId [ExistingUPN] -UserPrincipalName [DefaultDomainUPN]
    Note In this command, [ExistingUPN] represents the current UPN of the user ID, and [DefaultDomainUPN] represents the UPN of the user ID that has the domain suffix changed to the default domain.

    Examples

    For example, a Contoso administrator might use the following command:
    Set-AzureADUser -ObjectId user1@constoso.com -UserPrincipalName user1@contoso.onmicrosoft.com
    Set-AzureADUser -ObjectId [DefaultDomainUPN] -UserPrincipalName [NewUPN]
    Note In the second command, [DefaultDomainUPN] represents the UPN of the user ID after you run the command, and [NewUPN] is the target UPN to which you are trying to migrate the user ID.

    Note If you receive an error message after you run the second command, close and then reopen the Azure Active Directory V2 PowerShell module. Then, run the command again. 

Method 2

  1. On a domain controller, follow these steps:
     
    1. Add your initial domain as an UPN suffix in the on-premises AD DS user account.
    2. Change the user's UPN suffix from your domain to the initial domain.
    3. At a command prompt, run the following command to sync all domain controllers:
      repadmin /syncall /a /p /e /d 
  2. Force directory synchronization to sync the changes to Azure Active Directory (Azure AD). For more information about how to do this, see Azure AD Connect sync: Scheduler

    Note If you have an urgent change that must be synchronized immediately, you have to manually run a cycle. To do this, run the following cmdlet from PowerShell:
     
    Start-ADSyncSyncCycle -PolicyType Delta
  3. Verify that the user name is changed in the cloud service.
  4. On the domain controller, change the UPN suffix of the user to use the other federated domain.
  5. Force directory synchronization to sync the changes to Azure AD. For more information about how to do this, see Azure AD Connect sync: Scheduler.

    Note If you have an urgent change that must be synchronized immediately, you have to manually run a cycle. To do this, run the PowerShell cmdlet from step 2 of this procedure.
  6. Verify that the user name changed in the cloud service.

MORE INFORMATION


For more information, go to the following Microsoft Knowledge Base articles:

2392130 Troubleshoot user name issues that occur for federated users when they sign in to Office 365, Azure, or Intune  
2523192 User names in Office 365, Azure, or Intune don't match the on-premises UPN or alternate login ID
Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.