cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AAD Connect sync local mail attribut as cloud UPN

Aluca12
Copper Contributor

‎May 07 2019 07:59 AM - last edited on ‎Jan 14 2022 04:39 PM by

‎May 07 2019 07:59 AM - last edited on ‎Jan 14 2022 04:39 PM by

AAD Connect sync local mail attribut as cloud UPN

Hi Everyone,

during installation of Azure AD Connect and synching on-premise user accounts into my cloud tenant and matching these with already existing cloud only accounts, I run into the problem that the on-premise UPN(custom built from name and surname) is set as cloud UPN and not the proxy/mailaddress of my testaccounts.

I simply want that AAD Connect sets the mail or proxyaddress(SMTP:...) attribut as UPN for the matched cloud accounts, which already have their mail address as UPN but after synchronization these correct UPNs are gone.

The cloud domain is set up as upn suffix on-premise and the domain is verified in the tenant.

 

Is there any configuration I can change or adjust e.g. in the rules editor of AAD Connect or somewhere else which solves my problem?

 

I know that I can set the UPN via powershell to the correct one after sync but this can't be the best way to do it.

 

Thanks in advance!

Julian

23.1K Views
0 Likes
7 Replies
Reply
7 Replies
Vasil Michev

‎May 07 2019 09:39 AM

‎May 07 2019 09:39 AM

Re: AAD Connect sync local mail attribut as cloud UPN

Why is that a problem, it's the expected behavior. If you want to customize this behavior, you have to play with the default sync rules.

 

Here's the logic used by the rules:

 

IIF(IsPresent([userPrincipalName]),[userPrincipalName], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))

In other words, if the UPN value is populated, it will use that. If the UPN value is not populated, the SamAccountName attribute is used, combined with the @ sign and the domain name.

0 Likes
Reply
Aluca12

‎May 07 2019 10:55 AM

‎May 07 2019 10:55 AM

Re: AAD Connect sync local mail attribut as cloud UPN

@Vasil Michev 

Hi Vasil, well, it's a problem because it's annoying to work around atm.

If there is a easy way to accomplish my goal without much effort, then I'll be happy but currently I haven't found anything useful.

As I'm not familiar with these rules I haven't touched them yet.

If I understand you correctly I just need to change in your string the "userPrincipalName" to "mail" at the correct place?

 

0 Likes
Reply
Vasil Michev

‎May 07 2019 10:35 PM

‎May 07 2019 10:35 PM

Re: AAD Connect sync local mail attribut as cloud UPN

Well, for one, "mail" is not the same as the primary SMTP address, and we don't really have a primarySMTPaddress attribute. And, modifying the default rules is not recommended, so you should create a separate one with lower priority: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-config...

0 Likes
Reply
Aluca12

‎May 08 2019 02:57 AM - edited ‎May 08 2019 06:40 AM

‎May 08 2019 02:57 AM - edited ‎May 08 2019 06:40 AM

Re: AAD Connect sync local mail attribut as cloud UPN

Thanks for the link, I added a new inbound rule which sets the UPN to mail(the mail attribut in AD is set to the primarySMTP address similar to the cloud accounts) but another issue occured.

Now test users are syncing fine and with the wanted UPN to the cloud tenant but login isn't working anymore to any cloud ressource. After investigation I found out that now the cloud UPN is used for authentication via password passthrough on the on-premise AD. This works as expected of course but the on-premise AD doesn't recognize the mail UPN as viable user login.

I'm not sure what I need to do that the cloud UPN is transformed back to the AD UPN while login data checking(if this is possible anyways, I'm not really sure how the login data is processed step for step in the AAD Connect agent) or if I need to set the mail attribut as UPN during AAD Connect installation?
I tried this before but I got errors saying duplicate attributes were populated and so users were not synced.

0 Likes
Reply
Vasil Michev

‎May 08 2019 09:08 AM

‎May 08 2019 09:08 AM

Re: AAD Connect sync local mail attribut as cloud UPN

Seems to me like you need something like Alternate ID: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname#altern...

 

It's supported with either AD FS or PTA, however in both cases there are requirements on the clients/known issues, a list of which you can find here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-logi...

0 Likes
Reply
Aluca12

‎May 15 2019 06:34 AM

‎May 15 2019 06:34 AM

Re: AAD Connect sync local mail attribut as cloud UPN

Hi,

after several days of testings with different configurations I get this to work with configuring mail as UserPrincipalName in the AD connect wizard and manually creating the Immutableid of our AD users and adding this ID to their corresponding cloud accounts.

After this procedure our AD users are hard matched to their cloud identities with their mail as primary mail and cloud UPN :)

 

This issue should be solved now.

 

Kind Regards

Julian

 

0 Likes
Reply
Jimmy Salian

‎Mar 19 2022 07:36 AM

‎Mar 19 2022 07:36 AM

Re: AAD Connect sync local mail attribut as cloud UPN

Hi Julian,

I have similar requirement to use PrimarySMTP address of the users to use that as a UPN and sync it to Azure Tenant, can you please share detailed configuration ? Thanks Jim
0 Likes
Reply