Question regarding UPN and AD pass through

Copper Contributor

Hello and pardon the question if I missed the answer elsewhere.

 

We are finally migrating off on prem to O365. I would like to use pass through authentication but have questions about the UPN, public versus private domain. Let's say for example our public domain name for email is public.com and the internal AD domain is private.com AND we own both domain names. Our users email addresses are similar to name@public.com and the internal UPN is user@private.com. When setting up authentication since we own private.com and it is routable can we continue to use that for our user UPN or do we have to change it to user@public.com?

 

If we can continue to have users log in as user@private.com I have to add that private domain name to the domain list in O365 admin center, yes?

 

Finally, I got some confusing information form the tech who will be assisting us in the migration. He stated that he thought we have to maintain an exchange server on prem is we intend to ADFS or use pass though authentication - this is not correct is it?

 

Thank you

Michael

11 Replies
Yes you can use the UPN as it will carry over when syncing along with your primary e-mail and it needs to be added as a domain to the tenant. You can use Passthrough without exchange onprem but i would recommend keeping one as it makes administration easier. Many others have removed their exchange servers and do their admin through AD attributes so it's optional. Until you plan to completely remove AD sync and stand alone in 365 in the future I would say keep it around.
Not sure if I follow you here...the UPN used to login in Office 365 should be based on a public domain and normally what you do is sync this UPN from your local AD to Office 365 in one of the account atributes (Mail one)

Juan Carlos,

 

In an example I saw, the scenario was the organization had domain.com as their public domain and domain.local as their private AD domain. Obviously you cannot use a dot local domain outside your private AD environment. We on the other hand use public.com for email and private.com from AD and we own both domains. So my thought was that since I own it couldn't I just use private.com for O365 login? That is to say my users could still log in as user@private.com (on premises UPN) instead of user@public.com (Alternate ID) and only use the @public.com domain name for their email account e.g. person@public.com

Chris, thanks for your reply,

 

I think I found an article I was looking for. I skimmed this a couple weeks ago and then couldn't remember where I saw it. So yeah, should be OK based on this, I'll just have to add my private AD domain name to the list.

 

"Azure AD Connect synchronizes your users' UPN and password so that users can sign in with the same credentials they use on-premises. However, Azure AD Connect only synchronizes users to domains that are verified by Office 365. This means that the domain also is verified by Azure Active Directory because Office 365 identities are managed by Azure Active Directory. In other words, the domain has to be a valid Internet domain (for example, .com, .org, .net, .us, etc.). If your internal Active Directory only uses a non-routable domain (for example, .local), this can't possibly match the verified domain you have on Office 365. You can fix this issue by either changing your primary domain in your on premises Active Directory, or by adding one or more UPN suffixes."

Second question re. your reply - keeping an exchange server on prem, it's just acting as a management console basically since non of the mail data is stored locally nor does it pass through that server, correct? So I could set up a tiny VM with just Exchange whatever version installed and not have to worry about space for the data, nor CALs since the client licenses are now O365?

After migration you could. Check out hybrid license thou cause the server still needs a license. It’s free, if you already have an exchange license thou you can still use that but eventually you’ll want to change. But your right no cals needed if moved to cloud and used for management only. Just server license being what you had or new server with hybrid.

We're licensed for Business Essentials, not E3 or better, so I don't think I can use the free key. I have an entitlement to on prem Exchange 2016 though, but not enough CALs for every user at that level. I'll have to investigate my options further. It may wind up we elevate to E3.

You shouldn't need CAL's if you don't host mailboxes, the only thing you need licensed on prem is the server software itself.

Excellent! That's what I was just trying to look up. I got very confusing info about that from the tech were are using to assist.

Thank you very much

Now keep in mind that's in regards to Exchange, you still need Windows Server Cal's for users if they still authenticate on-prem in any way.

OK. We are maintaining an on prem AD environment so should have more than enough Windows Server CALs for that purpose. 

 

Thank you