Azure AD Connect Sync Errors: UPN Changes Aren’t Synced

By | January 13, 2016

I was working at a customer’s location few days back on an Office 365 hybrid deployment. I faced an issue where one of the users that was being synced from the on-premises Active Directory was having a different UPN on the Azure AD. This user’s original UPN was changed in the on premises Active Directory because of an organization requirement. However, the change wasn’t replicating to the Azure AD and the AAD Connect was throwing the below error on the sync log.

Unable-to-update-this-object-in-Azure-Active-Directory-because-the-attribute-FederatedUser.UserPrincipalName-is-not-valid.-Update-the-value-in-your-local-directory-services..png

Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services. Tracking Id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Microsoft’s KB article for this specific error tells us the cause is,

This problem occurs because the service doesn’t allow you to change the federated domain suffix of a user to a different federated domain suffix.

To fix this, the workaround is to change the Azure AD object’s UPN to the default domain that was created when you signed up for O365 and then switch it back to the new one. Microsoft gives two paths to achieve this.

  1. Use PowerShell.
  2. Add default domain as a prefix on your local directory, change the UPN of the user and run AAD Connect sync.

While the 2nd option seems to be the easiest, I would go with the PowerShell method instead. Therefore I’ll give you a script to do this.

# Resets a users AAD UPN to @xxxxxx.onmicrosoft.com UPN and then changes it to the proper UPN.

# Fill in name1@domain1.tld and name2@domain2.tld with the old UPN and the new UPN:

$OldAadUpn="name1@domain1.tld"
$NewAadUpn="name2@domain2.tld"

# Change xxxxxx.onmicrosoft.com below to match to your AAD.

#-------------------------------------------------------------------------------------------------------------------------------------

$error.Clear()
if ($UserCredential -eq $null) {
$UserCredential = Get-Credential -Message "Enter Microsoft Online Services Admin Credentials"
}
Connect-MsolService -Credential $UserCredential

$error.Clear()
Set-MsolUserPrincipalName -UserPrincipalName $OldAadUpn -NewUserPrincipalName "$($NewAadUpn.Split('@').Get(0))@xxxxxx.onmicrosoft.com"
if ($error) {
Write-host -ForegroundColor Yellow "Check the old UPN and try again."
}
Set-MsolUserPrincipalName -UserPrincipalName "$($NewAadUpn.Split('@').Get(0))@xxxxxx.onmicrosoft.com" -NewUserPrincipalName $NewAadUpn
Get-MsolUser -UserPrincipalName $NewAadUpn

4 thoughts on “Azure AD Connect Sync Errors: UPN Changes Aren’t Synced

  1. RR

    As a matter of fact, it is a known behavior and I tested this only with password hash (same sign on) where no such conflicts come and ease the process only with few attribute changes.

    further, by any chance if ok, enable password write back and see then you will know the black sheep.

    ATB.

    rizmi

    Reply
    1. Muditha Jayath Chathuranga Post author

      Thanks for your insights. Yes, could be not an issue for same sign on. I haven’t seen the is in such environments. But this is an ADFS integrated SSO environment. Also, if you could elaborate more on how the password write back helps here, that’s much appreciated. 🙂

      Reply

Leave a Reply