We make the User changes in on-prem AD via ADUC.

Then the article's steps are done in Azure AD.

Hi Cary,

If you are syncing to Azure AD your changes first must be on your AD.

This script could help you resolving your issue.

https://gallery.technet.microsoft.com/PowerShell-Script-to-Allow-6b251cb4

Sorry, but having to change a user's password is unacceptable.

Thanks, I'll give that one a look.

Well IF you are changing between federated/managed auth, it's mandatory.

Nope, it isn't mandatory.

Based on the other script given to me by @Nuno Silva here are the commands I ended up using that did NOT require reseting the user's password.

Set-MsolUserPrincipalName -UserPrincipalName User1@contoso.com -NewUserPrincipalName User1@tenantname.onmicrosoft.com

Set-MsolUserPrincipalName -UserPrincipalName User1@tenantname.onmicrosoft.com -NewUserPrincipalName User1@Fabrikam.com

That support article definitely needs some updating.

I modified the script that you showed me and fortunately it didn't require a password change.

Connect-MSOLService
Set-MsolUserPrincipalName -UserPrincipalName User@contoso.com -NewUserPrincipalName User@tenant.onmicrosoft.com
Set-MsolUserPrincipalName -UserPrincipalName User@tenant.onmicrosoft.com -NewUserPrincipalName User@fabrikam.com

That support article definitely needs updating!

I've attempted to reply to this thread twice already but neither has shown up.

Want to thank you for the link as I modified their script and it worked.

And no @Vasil Michev, it did not require a password change for it to work. It just required running the proper PowerShell script which the Support document obviously doesn't have.

Great news Cary !

I ran into the same issue and this exchange helped me, but I'd like to add that to me the big difference between the MSOL cmdlets and the Azure AD (new) cmdlets is that the MSOL cmdlet will generate a password for your profile when running it and the AzureAD cmdlets do not. 

In order to fix this issue you first have to change your UPN to match the default domain - for example @tenant.microsoft.com which is a MS domain and since that domain is not a federated one, the user account needs a password.

When setting the UPN to match the default domain using the MSOL cmdlets, I didn't get an error about password profile being empty which was great. The cmdlet worked, however, it returned a random 8 character alphanumeric word each time I executed it when the default domain (@tenant.microsoft.com) was part of the UPN.  This leads me to believe the cmdlet is generating a password and setting it as part of its process for setting the UPN when no password exists in the profile and getting around the error that the Set-AzureADUser cmdlet throws when no password is set in the profile.

When you run the cmdlet the 2nd time and set it to the federated domain name (its a 2 step process to fix this issue), the random alphanumeric 8 character word is not generated which makes sense as the domain the UPN is using is now a federated one and the user will authenticate against your on-premise ADFS instance not against an Azure owned domain (aka default domain).

Thanks, but I ran the script on two test users to change their UPNs, and at no time did I or the scripts change their passwords. It finished successfully both times.

Maybe that isn't how it is supposed to work, but that is how it worked for us.

The command finished successfully for me as well, but whenever I changed the UPN to the default domain (Microsoft's domain) using the MSOL cmdlet it would return at 8 character alphanumber upon completion, but only when I chose Microsoft's domain as the one for the UPN and not my federated one.  

Are you saying if you change your user from the federated domain to the Microsoft default domain that the cmdlet does not return that for you?

Example:

Set-MsolUserPrincipalName -UserPrincipalName justin@mydomain.net -NewUserPrincipalName justin@tenant.microsoft.com

Then I'd see something like the below output to my shell

Bota2317

I'm using powershell verion 5.1 on Windows 10 to run the cmdlet.