Apr 19 2017 09:47 AM
We are going to be changing our company name, so this requires a new domain.
The new domain has been added to On-Prem AD and Office365.
On a test user we have changed the UPN to the new domain and Azure AD Connect returns this:
Unable to update this object in Microsoft Online Services, because the attribute FederatedUser.UserPrincipalName is not valid. Update the value in your local Active Directory
I found this article (https://support.microsoft.com/en-us/help/2669550/changes-aren-t-synced-by-the-azure-active-directory...) and we tried Method 2 and we get same error.
When I try to run Method 1, I get this error for the first Set-AzureADUser command:
Set-AzureADUser : Error occurred while executing SetUser
Code: Request_BadRequest
Message: Property passwordProfile.password value is required but is empty or missing.
RequestId: xxxxxxxxxxxxxxxxx
DateTimeStamp: Wed, 19 Apr 2017 16:28:36 GMT
Details: PropertyName - passwordProfile.password, PropertyErrorCode - PropertyRequired
Since, the support page doesn't mention having to have a PasswordProfile parameter and I've found very very little in regards to the command on the net, does anyone have any suggestions?
Apr 19 2017 11:08 AM
Hi Cary,
Are you changing in local Active Directory ?
Apr 19 2017 11:20 AM
We make the User changes in on-prem AD via ADUC.
Then the article's steps are done in Azure AD.
Apr 19 2017 11:24 AM
Seems you are trying to change between federated/managed domains, thus the error. A federated user does not have any password set in the service, so you need to perform some actions when converting it (similar to what Convert-MsolFederatedUser does). So this will not work for federated:
# Set-AzureADUser -ObjectId e53d644c-db69-4e19-a1ab-94bd1f5d11e4 -UserPrincipalName irestri@michevdev2.onmicrosoft.com
Set-AzureADUser : Error occurred while executing SetUser
Code: Request_BadRequest
Message: Property passwordProfile.password value is required but is empty or missing.
This will:
# $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
# $PasswordProfile.Password = "Password123"
# Set-AzureADUser -ObjectId e53d644c-db69-4e19-a1ab-94bd1f5d11e4 -UserPrincipalName irestri@michevdev2.onmicrosoft.com -PasswordProfile $PasswordProfile
Apr 19 2017 11:33 AM
Hi Cary,
If you are syncing to Azure AD your changes first must be on your AD.
This script could help you resolving your issue.
https://gallery.technet.microsoft.com/PowerShell-Script-to-Allow-6b251cb4
Apr 19 2017 12:53 PM
Sorry, but having to change a user's password is unacceptable.
Apr 19 2017 01:02 PM
Well IF you are changing between federated/managed auth, it's mandatory.
Apr 19 2017 01:38 PM
Nope, it isn't mandatory.
Based on the other script given to me by @Nuno Silva here are the commands I ended up using that did NOT require reseting the user's password.
Set-MsolUserPrincipalName -UserPrincipalName User1@contoso.com -NewUserPrincipalName User1@tenantname.onmicrosoft.com
Set-MsolUserPrincipalName -UserPrincipalName User1@tenantname.onmicrosoft.com -NewUserPrincipalName User1@Fabrikam.com
That support article definitely needs some updating.
Apr 19 2017 02:29 PM
I modified the script that you showed me and fortunately it didn't require a password change.
Connect-MSOLService
Set-MsolUserPrincipalName -UserPrincipalName User@contoso.com -NewUserPrincipalName User@tenant.onmicrosoft.com
Set-MsolUserPrincipalName -UserPrincipalName User@tenant.onmicrosoft.com -NewUserPrincipalName User@fabrikam.com
That support article definitely needs updating!
Apr 19 2017 04:22 PM
I've attempted to reply to this thread twice already but neither has shown up.
Want to thank you for the link as I modified their script and it worked.
And no @Vasil Michev, it did not require a password change for it to work. It just required running the proper PowerShell script which the Support document obviously doesn't have.
Apr 27 2017 01:16 PM - edited Apr 27 2017 01:40 PM
I ran into the same issue and this exchange helped me, but I'd like to add that to me the big difference between the MSOL cmdlets and the Azure AD (new) cmdlets is that the MSOL cmdlet will generate a password for your profile when running it and the AzureAD cmdlets do not.
In order to fix this issue you first have to change your UPN to match the default domain - for example @tenant.microsoft.com which is a MS domain and since that domain is not a federated one, the user account needs a password.
When setting the UPN to match the default domain using the MSOL cmdlets, I didn't get an error about password profile being empty which was great. The cmdlet worked, however, it returned a random 8 character alphanumeric word each time I executed it when the default domain (@tenant.microsoft.com) was part of the UPN. This leads me to believe the cmdlet is generating a password and setting it as part of its process for setting the UPN when no password exists in the profile and getting around the error that the Set-AzureADUser cmdlet throws when no password is set in the profile.
When you run the cmdlet the 2nd time and set it to the federated domain name (its a 2 step process to fix this issue), the random alphanumeric 8 character word is not generated which makes sense as the domain the UPN is using is now a federated one and the user will authenticate against your on-premise ADFS instance not against an Azure owned domain (aka default domain).
Apr 27 2017 02:05 PM
Thanks, but I ran the script on two test users to change their UPNs, and at no time did I or the scripts change their passwords. It finished successfully both times.
Maybe that isn't how it is supposed to work, but that is how it worked for us.
Apr 28 2017 08:47 AM
The command finished successfully for me as well, but whenever I changed the UPN to the default domain (Microsoft's domain) using the MSOL cmdlet it would return at 8 character alphanumber upon completion, but only when I chose Microsoft's domain as the one for the UPN and not my federated one.
Are you saying if you change your user from the federated domain to the Microsoft default domain that the cmdlet does not return that for you?
Example:
Set-MsolUserPrincipalName -UserPrincipalName justin@mydomain.net -NewUserPrincipalName justin@tenant.microsoft.com
Then I'd see something like the below output to my shell
Bota2317
I'm using powershell verion 5.1 on Windows 10 to run the cmdlet.