Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Hyrbid Azure AD Join Alternate ID UPN Issues

Copper Contributor

Hello

Running dsregcmd /status is outputting AzureAdPrt as NO on users logging in with a verified, managed, routable subdomain.

 

The users On-Prem AD UPN is site.xyz.com and Azure AD UPN is xyz.com. site.xyz.com is also verified as a custom domain and enterpriseregistration/enterpriseenrollment CNAME have been added.

 

According to this document it's a supported config to have different on-prem UPN as Azure AD UPN but it's not working. (Routable, Managed)
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan 

 

We have 3 different locations with SEPERATE domains (Will combine into one with different AD sites at a later time) that have domain trusts between them. The issue is trying to get Hybrid Azure AD to work with the user credentials using their UPN that doesn't match their Azure AD UPN (alternate UPN is verified in Azure AD).

 

Examples:

site1.examplexyz.com 

site2. examplexyz .com 

site3. examplexyz .com 

 

Azure/365 Email UPN for all: examplexyz .com 

 

All sub domains are verified in Azure AD.

We can't add the same domain UPN (domain.com) at each locations domains and trusts because it breaks the domain trust routing, at least in our testing with one domain using ADFS for application access, so we are keeping the UPN different at each location and are syncing objects to Azure AD using Alternate ID in the email address field. All users are showing the correct UPN in Azure AD as examplexyz .com 

 

From my understanding from the table at the bottom of this guide (Plan your hybrid Azure Active Directory join deployment - Microsoft Entra | Microsoft Docs) Routable, managed domains should be supported.

 

When I log into a computer using a user with site1, site2, site3.domain.com UPN, Seamless SSO works by going to autologin.microsoft.us (GCC High) however Hybrid Azure AD is giving errors in event viewer with Error code 76 and 90. As a test, as soon as I set the UPN of a user to examplexyz .com it works just fine.

 

AzureAdPrt with dsregcmd /status shows NO when logging in with a subdomain

 

We have the enterprise enrollment and enterprise registration CNAME set for the sub domains.

Has anyone been able to get Hybrid Azure AD enrollment to work with them on prem UPN being different then Azure AD UPN?

1 Reply
Any ideas?