May 07 2019
07:59 AM
- last edited on
Jan 14 2022
04:39 PM
by
TechCommunityAP
May 07 2019
07:59 AM
- last edited on
Jan 14 2022
04:39 PM
by
TechCommunityAP
Hi Everyone,
during installation of Azure AD Connect and synching on-premise user accounts into my cloud tenant and matching these with already existing cloud only accounts, I run into the problem that the on-premise UPN(custom built from name and surname) is set as cloud UPN and not the proxy/mailaddress of my testaccounts.
I simply want that AAD Connect sets the mail or proxyaddress(SMTP:...) attribut as UPN for the matched cloud accounts, which already have their mail address as UPN but after synchronization these correct UPNs are gone.
The cloud domain is set up as upn suffix on-premise and the domain is verified in the tenant.
Is there any configuration I can change or adjust e.g. in the rules editor of AAD Connect or somewhere else which solves my problem?
I know that I can set the UPN via powershell to the correct one after sync but this can't be the best way to do it.
Thanks in advance!
Julian
May 07 2019 09:39 AM
Why is that a problem, it's the expected behavior. If you want to customize this behavior, you have to play with the default sync rules.
Here's the logic used by the rules:
IIF(IsPresent([userPrincipalName]),[userPrincipalName], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))
In other words, if the UPN value is populated, it will use that. If the UPN value is not populated, the SamAccountName attribute is used, combined with the @ sign and the domain name.
May 07 2019 10:55 AM
Hi Vasil, well, it's a problem because it's annoying to work around atm.
If there is a easy way to accomplish my goal without much effort, then I'll be happy but currently I haven't found anything useful.
As I'm not familiar with these rules I haven't touched them yet.
If I understand you correctly I just need to change in your string the "userPrincipalName" to "mail" at the correct place?
May 07 2019 10:35 PM
Well, for one, "mail" is not the same as the primary SMTP address, and we don't really have a primarySMTPaddress attribute. And, modifying the default rules is not recommended, so you should create a separate one with lower priority: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-config...
May 08 2019 02:57 AM - edited May 08 2019 06:40 AM
Thanks for the link, I added a new inbound rule which sets the UPN to mail(the mail attribut in AD is set to the primarySMTP address similar to the cloud accounts) but another issue occured.
Now test users are syncing fine and with the wanted UPN to the cloud tenant but login isn't working anymore to any cloud ressource. After investigation I found out that now the cloud UPN is used for authentication via password passthrough on the on-premise AD. This works as expected of course but the on-premise AD doesn't recognize the mail UPN as viable user login.
I'm not sure what I need to do that the cloud UPN is transformed back to the AD UPN while login data checking(if this is possible anyways, I'm not really sure how the login data is processed step for step in the AAD Connect agent) or if I need to set the mail attribut as UPN during AAD Connect installation?
I tried this before but I got errors saying duplicate attributes were populated and so users were not synced.
May 08 2019 09:08 AM
Seems to me like you need something like Alternate ID: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname#altern...
It's supported with either AD FS or PTA, however in both cases there are requirements on the clients/known issues, a list of which you can find here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-logi...
May 15 2019 06:34 AM
Hi,
after several days of testings with different configurations I get this to work with configuring mail as UserPrincipalName in the AD connect wizard and manually creating the Immutableid of our AD users and adding this ID to their corresponding cloud accounts.
After this procedure our AD users are hard matched to their cloud identities with their mail as primary mail and cloud UPN :)
This issue should be solved now.
Kind Regards
Julian
Mar 19 2022 07:36 AM