11-27-2018 12:24 PM
11-27-2018 12:24 PM
I have this following situation. Our company has a local AD forest. We have an Office365 tenant with couple subscriptions. Our current UPN is something like firstname.lastname@example.org. This old domain is not owned by us. Our samAccountName is localdomain\username. Users use UPN to authenticate with local AD.
We need to sync our users to Azure AD. The issue is that we will not be able to use our current UPN As we do not own that domain . We will also not be able to use the email address as the email address domain is registered with our parent company and it won't be possible to get the domain in to Azure. We also cannot change the UPN or add a new UPN prefix due to stringent policies.
So we have purchased new domain and verified it with Office365 , say newroutabledomain.com. Now we want all users from our local AD to be synced to the Azure AD using the UPN email@example.com. In order to do this, we are thinking of populating an attribute in local AD with the value firstname.lastname@example.org and use it as an AlternateID using AD Connect tool. Please answer my following questions.
1) Can I populate an attribute in local AD with the value of email@example.com and use that attribute as alternateID?
2) What is the recommended attribute in AD that could be used to populate firstname.lastname@example.org values and thus use as AlternateID?
2) Is it possible to use AlternateID without implementing ADFS?
Thanks in advance
11-27-2018 11:36 PM
1) Yes, that's the whole idea behind AlternateID
2) "mail" is the recommended attribute
3) Yes, Pass-trough authentication also supports AlternateID, AD FS is not a hard requirement. Password has sync also supports it.
11-27-2018 11:50 PMSolution
I think you have all the elements you need in place. You can use any attribute as UPN so the configuration very easy (see my blog at http://o365blog.com/post/non-routable-upn/).
So, when configuring AAD Connect, choose the attribute containing the "new UPN" for UPN and you're done. Now your users can login to Office 365 using their email@example.com and on-prem password (given that you are using the password-hash-sync).
If you also need to use the "new UPN" as an email address, easiest way is to populate that to ProxyAddresses attribute as SMTP:firstname.lastname@example.org.
11-29-2018 01:54 AM