Here's what you can do:
- Add and verify
corporate.net
in AAD. - Add
hq.corporate.net
. You'll be able to skip verification because it's a subdomain of a verified domain. - Set up Directory Synchronization (DirSync). This will create all your users as
username@hq.corporate.net
. - Use AAD PowerShell cmdlets to change the UserPrincipalName (UPN) of all the users to
username@corporate.net
.
It sounds like you've already done 1, 2 and 3, so you should be good to go with 4.
New users will have to go through that process (first DirSync them up to the cloud, then change their UPNs with PowerShell). From then on, DirSync should continue to work normally.
Here's how you would change the UPN of a single user:
Get-MsolUser -UserPrincipalName "user@hq.corporate.net" | `
Set-MsolUserPrincipalName -NewUserPrincipalName "user@corporate.net"
Here's how you would do it for all users:
$oldDomain = "hq.corporate.net"
$newDomain = "corporate.net"
Get-MsolUser | ? { $_.UserPrincipalName.EndsWith("@" + $oldDomain) } | % {
$alias = $_.UserPrincipalName.Substring(0, $_.UserPrincipalName.IndexOf("@"));
Set-MsolUserPrincipalName -ObjectId $_.ObjectId `
-NewUserPrincipalName ($alias + "@" + $newDomain)
}
As always, test this out first! :)
Philippe