As some of you probably know, when synchronizing objects from the on-premises Active Directory to the Office 365 tenant, the on-premises Active Directory is considered the source of authority meaning that the objects must be managed via the on-premises Active Directory.
In this scenario you can of course change the UPN using a PowerShell script or maybe even the provisioning solution running in the particular on-premises environment. However, there are organizations that aren’t, how should I put it, very PowerShell savvy.
Well, there are good news for you folks! Because, here I want to show you how this can be accomplished using a GUI-based tool called ADModify. In what can be considered to be quite a few years ago more precisely back in 2005, I wrote this article here on MSExchange.org uncovering the ADModify tool: http://ow.ly/lqdi8. And guess what, the tool haven’t changed much since then.
Prerequisites:
Okay, so in order to change the UPN for your directory synchronized users, you need to have the following in place:
-
Added the respective domain to the UPN suffix list in Active Directory
- Added the domain as a federated domain in your Office 365 tenant (instructions on how to do this and enable support for multiple federated domains in your ADFS infrastructure, see this blog post: http://ow.ly/lqdek)
Now go download the ADModify tool here: http://ow.ly/lqdnX.
Launch the tool and select the users for which you wish to change the primary e-mail address by following the instructions in the old article, I wrote: http://ow.ly/lqdi8
Click on the “Account” tab and then tick “UPN“. Click “Legacy Account” to fill in the first part of the UPN and then select the domain in the UPN drop-down list.
Now click on the “Go!” button to make the changes. This can take several minutes depending on how many objects you’re modifying.
We have now prepared the on-premises AD side of things. You would probably expect that we just need to wait for the next directory synchronization to occur. Unfortunately, this is not the case. You see during the next synchronization, the provisioned objects in the AAD tool database will be updated with the new UPN and the AAD sync tool will also try to update the objects in the Office 365 tenant. But nothing will happen if the users are already have a federated domain set as the UPN.
First, we must connect to the Office 365 tenant using PowerShell and change the UPN for all relevant users to the vanity domain “tenant.onmicrosoft.com”.
Don't forget you can bulk edit attributes from ADUC in Server 2012…such as the UPN!