Windows Azure Active Directory Sync with on-premises AD (subdomains)

StackOverflow https://stackoverflow.com/questions/20446007

Question

I have set up our corporate AD to sync with our Azure AD and have a question for the community or WAAD team about subdomains and best practise.

On WAAD I have verified our corporate.net domain, but our on-premises AD is at the domain hq.corporate.net.

From my CTO I am told that this is normal to create sub AD domains within a corporation. This means that when the users is synced they just get username@<waad-name>.onmicrosoft.com as their email/username in WAAD.

I solved that by verifying hq.corporate.net also to WAAD and all users was updated such they now can log on with username@hq.corporate.net on applications with WAAD.

Is this the intended way to go about this? My first impression would be that I would like all our employees to be able to log on with username@corporate.net and not have to include that ADs "branch" prefix/subdomain.

What options do I have to make this happen? If not, is the best practise to tell our mail server that username@hq.corporate.net should give the mail to username@corporate.net instead? The reason why username@hq.corporate.net is not that great is that users have to remember the hq. prefix and also it's the email passed to applications as the identity when they sign on, where their real email is actually username@corporate.net.

Was it helpful?

Solution

Here's what you can do:

  1. Add and verify corporate.net in AAD.
  2. Add hq.corporate.net. You'll be able to skip verification because it's a subdomain of a verified domain.
  3. Set up Directory Synchronization (DirSync). This will create all your users as username@hq.corporate.net.
  4. Use AAD PowerShell cmdlets to change the UserPrincipalName (UPN) of all the users to username@corporate.net.

It sounds like you've already done 1, 2 and 3, so you should be good to go with 4.

New users will have to go through that process (first DirSync them up to the cloud, then change their UPNs with PowerShell). From then on, DirSync should continue to work normally.

Here's how you would change the UPN of a single user:

Get-MsolUser -UserPrincipalName "user@hq.corporate.net" | `
    Set-MsolUserPrincipalName -NewUserPrincipalName "user@corporate.net"

Here's how you would do it for all users:

$oldDomain = "hq.corporate.net"
$newDomain = "corporate.net"
Get-MsolUser | ? { $_.UserPrincipalName.EndsWith("@" + $oldDomain) } | % {
    $alias = $_.UserPrincipalName.Substring(0, $_.UserPrincipalName.IndexOf("@"));
    Set-MsolUserPrincipalName -ObjectId $_.ObjectId `
                              -NewUserPrincipalName ($alias + "@" + $newDomain)
}

As always, test this out first! :)

Philippe

OTHER TIPS

You need to add your corporate.net domain as a UPN (UserPrincipleName) suffix in the Active Directory Domains and Trusts tool (see To add an alternative UPN suffix). Once it's added, you can assign the UPN suffix to your users in the Active Directory Users and Directories tool on your domain controller. Assuming you already had Directory Synchronization setup, it will pick up the users with the new UPN suffix assuming they were added after corporate.net domain was verified. If not, you may have to use the Set-MsolUserPrincipal PowerShell commandlet to manually set the correct UPN suffix (see Match On-Premise UPN with Office 365 UPN)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top