Hey folks, Keith Brewer here to discuss an issue I encountered while working with a Microsoft Premier Customer . As a PFE we are often asked to assist our Premier customers with a specific technology. In this instance I was asked to assist with Active Directory Federation Services (ADFS). Fellow PFE Jasmin Amirali recently blogged an ADFS FAQ on ASKPFEPLAT here . Now you ask what this has to do with Office365 and UPN values. Well after ADFS was up and running, validated with a sample claims aware application in the cloud an issue arose with finalizing Single Sign-On (SSO) with their email provider O365. While not an ADFS issue the below information may be helpful if you were to find yourself in the same situation.
Their particular configuration is described as Scenario 2 here:
Scenario 2: The organization has decided initially not to use single sign-on (identity federation). Instead the organization’s users are using Microsoft Online cloud IDs (i.e. non-federated IDs) to sign in to Office 365 services. At some point later the organization decides that they want to start using single sign-on, by converting their existing users from standard Microsoft Online cloud IDs to federated IDs.
While the ADFS infrastructure was validated another problem was lurking waiting to rear its ugly head just shortly after the online domain was converted from Standard (Managed) to Federated.
Users within an IT organization receive 8004786C from O365 error shortly after converting the online from standard (Managed) to Federated.
There are a number of potential solutions to this issue as discussed in the above articles
This customer decided to change all users on premise UPN value to match that of the online domain within O365.
*** This is not a subtle change and can have massive repercussions to user authentication and/or 3 rd party applications leveraging the current UPN value ***
Now to move onto how to wholesale change the UPN value for numerous users quickly.
I have written a PowerShell script to evaluate the current UPN suffix for a specific administrator provided string (OldUPNString) and if present to replace it with an administrator provided string (NewUPNString). It will perform this operation on all user accounts found starting at an administrator provided location (TargetDN). This script is available here: