azure ad connect

131 Topics

Best practice when UPN and email address are different but both routable?
Our on-premise AD is a multi-domain forest with different business units in separate child domains. Each child domain uses a UPN of the form username[at]unitX.onpremad.com and we've validated all these in the cloud. However, all users have email addresses like fullname[at]emaildomain.com, that domain is also validated with Entra AD. Users frequently join teams in a different business unit so their AD account is migrated across domains and their UPN changes at that time, but their email address stays the same. I've read through a lot of documentation on how the best practice is for the UPN and email to be the same for O365, but that you could have them be different using alternate ID support. But when they are different, apparently there are a number of little "gotchas" in terms of application support. So, before we sync our on-prem AD, I'm trying to understand which scenario will be the best supported over the long term with the least headaches to both users and IT. Changing the on-prem UPN to match the email address isn't possible due to a critical LOB app that expects the UPN suffix to break down into username and business unit domain name. So, would it best to: Sync users with their on-prem UPN as their cloud UPN. This seems easiest to configure, but the documentation seems to imply there's a lot of manual fixing up when the UPN changes and possibly application compatibility issues since the UPN and email are different. Sync the primary email address as the cloud UPN. Looks to require custom configuration. Has the advantage that UPN and email match and the email address rarely changes. However, I'm unclear if this is supported since we'd still have some accounts (primarily administrators) without a mailbox and so no mail or proxyAddresses fields filed in. Unclear if there are any other "gotchas" to watch out for since this is a non-standard configuration. Thanks for any advice you can provide.
Solved
BTW97
Jan 06, 2026 Place Microsoft Entra
11KViews
0likes
4Comments
Do the Entra sync/connect apps ever successfully update themselves?
Last week I had to download and install version 2.5.79.0 of the Entra Connect Sync Agent app on our Entra Connect server because I discovered the installed version was 2.4.21.0 and that version reaches end of support on November 15. Today, I happened to check on the version of the Entra Private Network Connector app on the two servers where we have that installed, and both are running version 1.5.3925.0, which was the latest available version at the time I installed it back in March. That version was from July 2024, and there have been three new releases since then, two of which "may perform auto-update of your connector". One of those servers was a new install, but the other one was an upgrade of the installed version of the Azure Application Proxy client, and while I don't recall which version specifically was installed, I know it was quite out of date. I'm curious: Has anyone ever actually seen either the Entra Connect Sync Agent or Entra Private Network Connector successfully upgrade themselves automatically?
Solved
RyanSteele-CoV
Oct 27, 2025 Place Microsoft Entra
114Views
1like
1Comment
Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
dcsantos9
Sep 22, 2025 Place Microsoft Entra
49Views
1like
0Comments
API-driven provisioning field mapping changes resynchronize all users and groups
We have configured API-driven provisioning for on-premises Active Directory, along with Azure AD Connect, to synchronize on-premises AD users with Azure Entra ID. As part of the provisioning setup, we have used a separate Organizational Unit (OU) in on-premises AD (designated as the default OU for new users) while configuring API-driven provisioning. We are attempting to make some changes to the API field mapping, specifically the ‘UserPrincipalName’ regular expression (custom domain) and the ‘manager’ field, and saving the configuration. Upon attempting to save, a prompt appears (as highlighted below screenshot), indicating that this action will resynchronize all users and groups. Could you please clarify: Will this resynchronization update any existing users outside the default provisioning Organizational Unit (OU)? Specifically, what does the resynchronization operation update? For instance, will it modify the 'UserPrincipalName' and 'manager' attributes for all users including old users outside of provisioning Organizational Unit (OU)? Screen Shot - While Saving Mapping.
Solved
LJohn
Sep 17, 2025 Place Microsoft Entra
272Views
0likes
2Comments
Microsoft Entra Connect connecting always to old DC
We are planning on demoting old DC server. When doing checkups I noticed that Entra Connect keeps connecting to this specific DC we'ew planning to demote everytime it connect to Active Directory. So now I'm wondering does this need any additional configuration to keep sync working after DC Demote. I found out that there is option to "Only use preferred domain controllers" but I'm not sure if that's what I want do do. There were the red line is is the old DC to be demoted. "Only use preferred domain controllers" setting. If I enable this setting I got this kind of notice. I don't feel like this is the right way to do it so I canceled at this point.
Solved
jpart_777
Sep 04, 2025 Place Microsoft Entra
200Views
0likes
2Comments
The salt sizes required for signing with RSAPSS do not match those used by TPM.
Good evening everyone. I'm getting this error when I try to perform the first sync on my Windows Server 2022. I'm trying to sync the entire directory to manage my employees' licenses. I already have a tenant with users who can stay there without any problems. I had already synced the tenant with my old server in the past. For business reasons, the infrastructure has changed, and so has the server. In Entra ID, I don't see any old syncs, but in Admin Center, I do. Could this be the problem? Any advice is invaluable, as I'm at my wits' end.
robertolombardi
Sep 04, 2025 Place Microsoft Entra
254Views
0likes
2Comments
OU list incomplete in AAD connect
We're facing a strange issue while configuring EntraID Connect. At the point of selecting the OU we want to synchronize the list we see in the EntraID application is not complete in respect of what we see in ADUC. We miss an OU at first level, which by the way is ont of the OU we need to sync. Any idea ?
Solved
StefanoC66
Aug 20, 2025 Place Microsoft Entra
226Views
0likes
4Comments
User Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.
Are27
Aug 07, 2025 Place Microsoft Entra
217Views
0likes
1Comment
Understanding Sign-In logs - password hash sync from another country?
Gday Had a couple users show up today at risk - failed logins from the US, while we're in Canada. Users are not in the US, not using VPNs, logins are to Microsoft services (Office Home, One Outlook Web). The useragent is the axios client, the auth method is 'password in the cloud' - which as i understand it, means the password is being auth'd directly against Entra. However, one of them is Azure AD sync'd. The auth method on this is 'password hash sync' - as I understood it, this means the password is going to the DC first, then the resulting hash is being passed to the cloud. This is what we have on our Hybrid 1-way tenants. But I don't really understand what's going on when I see a Password Hash Sync attempt, from another country. Is that random person passing a (wrong) password to my closed-off server? Or... is it just that the hash that Entra has to authenticate with, is from the DC? Is the 'password to DC, to Cloud' the 'passthrough' auth method? Thanks
underQualifried
Jun 26, 2025 Place Microsoft Entra
358Views
0likes
1Comment
Entra ID Connect cloud sync: User and group sync is quarantined
Hi, I connected our on-premise AD with Entra ID with Azure AD Connect Cloud Sync. Agents are active, but User and group sync is quarantined with the following error. Error code: HybridSynchronizationContainerStateEnumerationFailed Error message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.... Additional details: Encountered an error while enumerating container changes in the provisioning agent. Please make sure you are running the latest version of the agent. Contact support if the issue persists. Additional Error Details: UnwillingToPerform: The server cannot handle directory requests.. ResultCode: UnwillingToPerform, HResult: -2146233088, responseType: System.DirectoryServices.Protocols.SearchResponse, serializedResponse: {"MatchedDN":"","Controls":[],"ResultCode":53,"ErrorMessage":"error in module dsdb_paged_results: Unwilling to perform during LDB_SEARCH (53)","Referral":[],"References":[],"Entries":[],"RequestId":null}. I use SaMBa servers (4.19.4) as DCs. Agents are installed on Windows 2019 servers. How can I resolve the problem?
pischta
Jun 11, 2025 Place Microsoft Entra
1.4KViews
0likes
4Comments