When you run the Microsoft Azure Active Directory Sync tool, you notice that the user name of a user in Office 365, Microsoft Azure, or Microsoft Intune doesn't match the user's on-premises user principal name (UPN) or alternate login ID. The UPN or alternate login ID could be the user's user name, email address, or some other attribute.
There are three possible causes of this issue:
Your company domain is not yet verified. The domain of the on-premises UPN or alternate login ID is a domain that's not yet verified in Azure Active Directory (Azure AD).
The user in Azure AD is not federated and was assigned a license.
The domain suffix of the UPN or alternate login ID has changed from one federated domain to another federated domain.
Scenario 1: Your company domain is not yet verified
Make sure that the domain suffix of the UPN or alternate login ID is verified in Azure AD. If you sync users before you verify the domain, the user name of the user is changed accordingly.
How to determine the domain suffix for a UPN
On a domain controller or on a computer on which the Windows Server Administration Toolkit is installed, follow these steps:
Open Active Directory Users and Computers. To do this, click Start, click Run, type dsa.msc, and then click OK.
Right-click the domain, and then click Find.
In the Name box, type the user's display name, and then click Find Now.
Double-click the user name in the search results, and then click the Account tab.
Under User logon name, note the domain part of user logon name. This is known as the UPN suffix.
How to determine the domain suffix for an alternate login ID
On a domain controller or on a computer on which the Windows Server Administration Toolkit is installed, you can use Active Directory Service Interfaces Editor (ADSI Edit) to determine the domain suffix for an alternate login ID. To learn more about how to do this, see Using ADSI Edit to Edit Active Directory Attributes.
Note If the domain suffix isn't a registered domain, you must either register the domain by using a domain registrar or change the domain suffix of the user to a domain that's registered. This domain suffix must be registered by using a domain registrar before you can verify the domain in Azure AD.
Scenario 2: The user has a license
In this scenario, the UPN is not synchronized if the user has a license assigned to them. This scenario should apply to you only if you enabled directory synchronization for the first time before June 15, 2015.
Historically, all updates to the UPN through sync were blocked if the user was managed (non-federated) and was assigned a license.
To update the UPN of a user who was assigned a license, follow these steps:
Start the Azure Active Directory Module for Windows PowerShell, and then connect to Azure AD. For more information about how to do this, go to the following Microsoft website:
Microsoft Azure Cloud Services, Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 Identity Management