Forum Discussion
UPN Mismatch between Local AD and Azure AD (Entra ID) impact on user sign-ins and SSO?
Hi Curious_Kevin16,
If you need to make configuration changes, then you want to disable the Microsoft Entra Connect Sync scheduler.
Microsoft Entra Connect Sync configuration best practices:
- Use the ms-DS-ConsistencyGuid (or objectGUID) as the sourceAnchor attribute for User objects. The sourceAnchor attribute uniquely identifies an object as being the same object on-premises and in Microsoft Entra ID
- Use "Password hash synchronization"
- Sync only specific OUs
- Don't sync service or admin accounts
Active Directory:
- Add the alternatieve UPN suffix to your Active Directory Domains and Trusts
- Use the routable domain as User logon name in Active Directory Users and Computers. Also check the mail- (and proxyAddresses) attributes
Enable the scheduler again.
Important: the on-premises sourceAnchor ms-DS-ConsistencyGuid (or objectGUID) should always match the ImmutableID in Microsoft Entra ID.
MathieuVandenHautte Thanks for your swift response !
I haven't configured the sync schedules yet. Connector is yet to be setup hence the questions before touching that space.
My concerns are more towards the impact of UPN change. as these users leverage @company.com.nz (not @company.com) to login to their local devices and applications, what implications will this UPN change have on them? and the best workaround to address it.
Thanks again
Kev
- LainRobertsonNov 10, 2023Silver Contributor
Hi, Kev.
There's multiple pathways for dealing with this kind of scenario depending on the outcome you're trying to achieve.
Some quick questions though:
- Do you currently host mail on-premise, and if so, do people's e-mail addresses also use a suffix of company.com.nz?
- Which authentication model are you looking to use in your final state?
- In the final state, will your clients be hybrid joined or Azure-native?
Authentication methods
Cheers,
Lain
- MathieuVandenHautteNov 10, 2023Steel Contributor
Hi Kev,
Users will still be able to login.The SAM account name (domain\user) does not change when you update the UPN.
I’ve done this on many environments and never had an issue.