Azure AD Connect synchronizes your users’ UPN and password so that users can sign in with the same credentials they use on-premises. However, Azure AD Connect only synchronizes users to domains that are verified by Microsoft 365. This means that the domain also is verified by Azure AD because Microsoft 365 identities are managed by Azure AD. In other words, the domain has to be a valid Internet domain (such as, .com, .org, .net, .us). If your internal AD DS only uses a non-routable domain (for example, “.local”), this can’t possibly match the verified domain you have for your Microsoft 365 tenant. You can fix this issue by either changing your primary domain in your on-premises AD DS, or by adding one or more UPN suffixes.

Prepare for Microsoft Azure Active Directory

Azure Active Directory is needed to perform several configuration steps when installing Microsoft 365. These steps are performed using Windows PowerShell. However, before you can use PowerShell to access Azure AD, you must first install the Windows PowerShell modules that enable you to access Azure AD through PowerShell. In this task, you will prepare for using Azure AD by installing those PowerShell modules.

  1. Open Windows PowerShell by performing the following steps:

    • Select the magnifying glass (Search Windows) icon on the taskbar at the bottom of the screen and type powershell in the Search box that appears.

    • In the menu that appears, right-click on Windows PowerShell and select Run as administrator in the drop-down menu.

  2. In Windows PowerShell, type the following command and then press Enter:

    Install-Module MSOnline

  3. If you are prompted to install the NuGet provider, enter Y to select [Y] Yes. Press Enter key.

  4. If you are prompted to install the module from PSGallery, enter A to select [A] Yes to All. Press Enter key.

  5. Once the installation is complete, the screen will return to the Windows PowerShell command prompt.

  6. You must then run the following command to install the Azure AD PowerShell module that you just retrieved in the earlier step:

    Install-Module AzureADPreview

  7. If you are prompted to confirm that you want to execute this command, enter A to select [A] Yes to All.

  8. You have now installed the Windows PowerShell modules required to access Azure AD.

  9. Remain logged into the domain controller VM and keep the Windows PowerShell window open.

Configure your UPN suffix

We can solve the “.local” (local non-routable domain) problem by registering a new UPN suffix or suffixes in AD DS to match the domain (or domains) you verified in Microsoft 365. After you register the new suffix, you update the user UPNs to replace the “.local” with the new domain name, for example, so that a user account looks like [email protected]

After you have updated the UPNs to use the verified domain, you are ready to synchronize your on-premises AD DS with Microsoft 365.

One quick and easy way to do is to use Powershell commands:

1. On one of 51sec.corp’s domain machines, log on as 51sec.corp\Administrator or any other domain admin user.

2. Using Windows PowerShell as administrator, update the UPN suffix for the domain and on the UPN on every user in AD DS with “” (where 51sec is your unique UPN name in your cloud azure AD) for the domain name. To do this, run the following command (remember to change 51sec to your unique UPN name):

Set-ADForest -identity "51sec.corp" -UPNSuffixes @{replace=""}

3. Next type the follow command (remember to change 51sec to your unique UPN name):
Get-ADUser –Filter * -Properties SamAccountName | ForEach-Object { Set-ADUser $_ -UserPrincipalName ($_.SamAccountName + "" )}
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
Set-ExecutionPolicy Unrestricted

Another way is through AD administration tolls:

Step 1: Add the new UPN suffix**

  1. On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Domains and Trusts.

    Or, if you don’t have Windows Server 2012

    Press Windows key + R to open the Run dialog, and then type in Domain.msc, and then choose OK.

    Choose Active Directory Domains and Trusts.

  2. In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts, and then choose Properties.

    Right-click Active Directory Domains and Trusts and choose Properties

  3. On the UPN Suffixes tab, in the Alternative UPN Suffixes box, type your new UPN suffix or suffixes, and then choose Add > Apply.

    Add an new UPN suffix

    Choose OK when you’re done adding suffixes.

Step 2: Change the UPN suffix for existing users

  1. On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Users and Computers.

    Or, if you don’t have Windows Server 2012

    Press Windows key + R to open the Run dialog, and then type in Dsa.msc, and then click OK

  2. Select a user, right-click, and then choose Properties.

  3. On the Account tab, in the UPN suffix drop-down list, choose the new UPN suffix, and then choose OK.

    Add new UPN suffix for a user

  4. Complete these steps for every user.

Verify through Azure AD Users


from Blogger

By Jon

Leave a Reply