Forum Discussion
AAD Connect sync local mail attribut as cloud UPN
Hi Vasil, well, it's a problem because it's annoying to work around atm.
If there is a easy way to accomplish my goal without much effort, then I'll be happy but currently I haven't found anything useful.
As I'm not familiar with these rules I haven't touched them yet.
If I understand you correctly I just need to change in your string the "userPrincipalName" to "mail" at the correct place?
Well, for one, "mail" is not the same as the primary SMTP address, and we don't really have a primarySMTPaddress attribute. And, modifying the default rules is not recommended, so you should create a separate one with lower priority: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration
Thanks for the link, I added a new inbound rule which sets the UPN to mail(the mail attribut in AD is set to the primarySMTP address similar to the cloud accounts) but another issue occured.
Now test users are syncing fine and with the wanted UPN to the cloud tenant but login isn't working anymore to any cloud ressource. After investigation I found out that now the cloud UPN is used for authentication via password passthrough on the on-premise AD. This works as expected of course but the on-premise AD doesn't recognize the mail UPN as viable user login.
I'm not sure what I need to do that the cloud UPN is transformed back to the AD UPN while login data checking(if this is possible anyways, I'm not really sure how the login data is processed step for step in the AAD Connect agent) or if I need to set the mail attribut as UPN during AAD Connect installation?
I tried this before but I got errors saying duplicate attributes were populated and so users were not synced.Seems to me like you need something like Alternate ID: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname#alternate-login-id
It's supported with either AD FS or PTA, however in both cases there are requirements on the clients/known issues, a list of which you can find here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id#applications-and-user-experience-after-the-additional-configuration
Hi,
after several days of testings with different configurations I get this to work with configuring mail as UserPrincipalName in the AD connect wizard and manually creating the Immutableid of our AD users and adding this ID to their corresponding cloud accounts.
After this procedure our AD users are hard matched to their cloud identities with their mail as primary mail and cloud UPN :)
This issue should be solved now.
Kind Regards
Julian