ADFS Claim Rule - If UPN with domain, then send '.com' domain to Active Directory, Possible?

Copper Contributor



1. I'm using Active Directory (on-prem) with domain, but it's not verified.

2. I already synced with AAD and the AAD has a verified domain(

3. UPN from on-prem AD had been synced as '', '' following MOERA policy.

4. Configured ADFS to use O365.

5. When put to login page, it redirects to ADFS login page( and it said 'invalid username or password information' when i put correct credentials for the account.



Onprem AD (




AAD /O365 ( -verified)


Perhaps we might find a solution by setting up an adfs clame rule... can you help me change the input  coming into to


Thank you!

2 Replies

I'm not sure I completely understand your scenario, thus I cannot guarantee it will work, but if you need examples on how to manipulate the UPN claim, you can find some in this article:

  1.  When you enter it gets directed to ADFS - the domain part here is only used for that.
  2. In ADFS you need to use your internal username because the authentication is performed against your on-premises AD
  3. If you haven't configured manually otherwise, ADFS sents userprincipalname to Office 365. However, this doesn't matter, because Office 365 is using only the ImmutableId attribute to identify users, so no need to change claim issuance rules.


So, if you're having the error in phase 2., just use the to login.