When you run the Microsoft Azure Active Directory Sync tool, you notice that the user name of a user in Office 365, Microsoft Azure, or Windows Intune doesn't match the user's on-premises user principal name (UPN) or alternate login ID. The UPN or alternate login ID could be the user's user name, email address, or some other attribute.
There are three possible causes of this issue:
- Your company domain is not yet verified. The domain of the on-premises UPN or alternate login ID is a domain that is not yet verified in Azure Active Directory (Azure AD).
- The user in Azure AD is not federated and was assigned a license.
- The domain suffix of the UPN or alternate login ID has changed from one federated domain to another federated domain.
Scenario 1: Your company domain is not yet verified
Make sure that the domain suffix of the UPN or alternate login ID is verified in Azure AD. If you sync users before you verify the domain, the user name of the user is changed accordingly.
How to determine the domain suffix for a UPN
On a domain controller or on a computer on which the Windows Server Administration Toolkit is installed, follow these steps:
- Open Active Directory Users and Computers. To do this, click Start, click Run, type dsa.msc, and then click OK.
- Right-click the domain, and then click Find.
- In the Name box, type the user's display name, and then click Find Now.
- Double-click the user name in the search results, and then click the Account tab.
- Under User logon name, note the domain part of user logon name. This is known as the UPN suffix.
Collapse this imageExpand this image
How to determine the domain suffix for an alternate login ID
On a domain controller or on a computer on which the Windows Server Administration Toolkit is installed, you can use Active Directory Service Interfaces Editor (ADSI Edit) to determine the domain suffix for an alternate login ID. To learn more about how to do this, see Using ADSI Edit to Edit Active Directory Attributes
If the domain suffix isn't a registered domain, you must either register the domain by using a domain registrar or change the domain suffix of the user to a domain that's registered. This domain suffix must be registered by using a domain registrar before you can verify the domain in Azure AD.
Scenario 2: The cloud-managed user has a license
To update the UPN of a cloud-managed user who was assigned a license, follow these steps:
- Start the Azure Active Directory Module for Windows PowerShell, and then connect to Azure Active Directory (Azure AD). For more information about how to do this, go to the following Microsoft website:
- Run the following Windows PowerShell cmdlet:
Set-MsolUserPrincipalName -UserPrincipalName [CurrentUPN] -NewUserPrincipalName [NewUPN]
Scenario 3: The domain suffix of the UPN or alternate login ID changed from one federated domain to another federated domain
Follow the steps in the following Microsoft Knowledge Base article:
Changes aren't synced by the Azure Active Directory Sync tool after you change the UPN of a user account to use a different federated domain
The Windows PowerShell commands in this article require the Azure Active Directory Module for Windows PowerShell. For more information, go to the following Microsoft website:
For more information about how to add and verify a domain in Office 365, go to the following Microsoft website:
For more information about how to update other synced attributes, click the following article number to view the article in the Microsoft Knowledge Base:
One or more objects don't sync when using the Azure Active Directory Sync tool
Still need help? Go to the Office 365 Community
website or the Azure Active Directory Forums