You update the user principal name (UPN) of an on-premises Active Directory Domain Services (AD DS) user account to use a different federated domain. However, directory synchronization doesn't propagate the change from one federated domain directly to another federated domain for a user ID in a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune.
When the user object is being synced to the cloud service, you receive the following error message in the synchronization error report:
Unable to update this object in Microsoft Online Services, because the attribute FederatedUser.UserPrincipalName is not valid. Update the value in your local Active Directory
This problem occurs because the service doesn't allow you to change the federated domain suffix of a user to a different federated domain suffix.
To work around this problem, use one of the following methods.
On a client computer that has the Azure Active Directory Module for Windows PowerShell installed, follow these steps:
Click Start, point to All Programs, click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
Run the following commands, pressing Enter after each command:
Note When you're prompted, enter non-federated cloud service global administrator credentials.
Microsoft Azure cloud services, Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 Identity Management