Forum Discussion
AAD Connect sync local mail attribut as cloud UPN
Hi Everyone, during installation of Azure AD Connect and synching on-premise user accounts into my cloud tenant and matching these with already existing cloud only accounts, I run into the problem t...
Why is that a problem, it's the expected behavior. If you want to customize this behavior, you have to play with the default sync rules.
Here's the logic used by the rules:
IIF(IsPresent([userPrincipalName]),[userPrincipalName], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))
In other words, if the UPN value is populated, it will use that. If the UPN value is not populated, the SamAccountName attribute is used, combined with the @ sign and the domain name.
Hi Vasil, well, it's a problem because it's annoying to work around atm.
If there is a easy way to accomplish my goal without much effort, then I'll be happy but currently I haven't found anything useful.
As I'm not familiar with these rules I haven't touched them yet.
If I understand you correctly I just need to change in your string the "userPrincipalName" to "mail" at the correct place?
Well, for one, "mail" is not the same as the primary SMTP address, and we don't really have a primarySMTPaddress attribute. And, modifying the default rules is not recommended, so you should create a separate one with lower priority: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Thanks for the link, I added a new inbound rule which sets the UPN to mail(the mail attribut in AD is set to the primarySMTP address similar to the cloud accounts) but another issue occured.
Now test users are syncing fine and with the wanted UPN to the cloud tenant but login isn't working anymore to any cloud ressource. After investigation I found out that now the cloud UPN is used for authentication via password passthrough on the on-premise AD. This works as expected of course but the on-premise AD doesn't recognize the mail UPN as viable user login.
I'm not sure what I need to do that the cloud UPN is transformed back to the AD UPN while login data checking(if this is possible anyways, I'm not really sure how the login data is processed step for step in the AAD Connect agent) or if I need to set the mail attribut as UPN during AAD Connect installation?
I tried this before but I got errors saying duplicate attributes were populated and so users were not synced.Seems to me like you need something like Alternate ID: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname#alternate-login-id
It's supported with either AD FS or PTA, however in both cases there are requirements on the clients/known issues, a list of which you can find here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id#applications-and-user-experience-after-the-additional-configuration