Forum Discussion
Subject: Best Practices for Aligning UPNs in Hybrid Entra ID + Intune Environment
Hello,
I’m seeking guidance on best practices for aligning user identities in a hybrid Microsoft 365 environment, particularly regarding UPN consistency and device enrollment into Intune.
Environment Overview:
Client is using a hybrid Azure AD join setup via Entra ID Connect (formerly Azure AD Connect).
Devices are domain-joined and enrolled into Microsoft Intune via Group Policy (GPO).
Entra ID Connect sync is active with write-back where appropriate.
On-premises UPN format: username@domain.local (or .xxx)
Entra ID / M365 UPN format: email address removed for privacy reasons (e.g., routable custom domain)
Issue:
Devices are intermittently failing to enroll into Intune or are not showing up as compliant/joined.
Manually updating the on-premises UPN to match the Entra ID UPN (email address removed for privacy reasons) seems to resolve the issue, but this is not yet standardized across the org.
It's unclear whether this mismatch is breaking hybrid join and/or interfering with automatic MDM enrollment via GPO.
Questions:
What is Microsoft’s current best practice regarding UPN alignment between on-prem AD and Entra ID in a hybrid environment?
Is it mandatory or strongly recommended to match the on-prem UPN to the Entra UPN (especially when using automatic Intune enrollment)?
Could this mismatch be contributing to MDM enrollment issues, and if so, what is the correct process to fix it in bulk?
Are there any known caveats or dependencies when changing the UPN on-prem (e.g., impact on Outlook profiles, cached credentials, etc.)?
Is there a supported or recommended PowerShell method to audit and align UPNs safely?
Goal:
We're aiming for consistent, reliable hybrid Entra join with automatic Intune enrollment and minimal end-user disruption. Any insight or guidance is appreciated, especially if there’s documentation or field experience to support it.
2 Replies
In a Hybrid Azure AD environment, when logging into the on-premises AD, the login user's UPN is used to attempt to obtain the Azure AD PRT.
Therefore, if the UPN does not match, the PRT acquisition fails, and the Intune registration using the PRT also fails.
chrisgleason78 I think you're on the right track for the UPNs having to match. I have never experienced any issues with changing the UPN on-prem to match the UPN in Entra ID, but if you're worried, I suggest going through the process with a test user, or maybe even a group of tech-savvy users who can report any issues back to you.
A powershell script can help with bulk changing the UPN, I recommend getting a report, maybe CSV export first to get an overview. Also, if the changing of the UPN would cause any issues, you can simply change it back again with this export.
The device enrollment issues though; I can't say. If for example some users with mismatched UPNs are not experiencing any issues and some are, this might not be the cause. Maybe something related with network connectivity / firewall or rather: licensing, especially Intune license assignments. But for troubleshooting such a specific gpo enrollment issue, I would try to reproduce the issue and use the event viewer, which is also outlined here: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/troubleshoot-windows-auto-enrollment
