This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 45%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
I'm trying to convert a user to an Internal Guest for B2B collaboration based on this article:
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/invite-internal-users?source=recommendations
My problem is setting the onPremisesUserPrincipalName attribute to be null.
In AD Connect I created an Outbound rule, with our Azure AD connector, scoped it to a specific user, and added a transformation> Expresssion:onPremisesUserPrincipalName:AuthoratitiveNull:Update
When I preview the change in the Connector Space Object Properties I can see the Data Source AuthoritiveNull on the onPremisesUserPrincipalName attribute with a value of null.
However, the null value never gets applied to the user account in Azure AD.
What am I doing wrong?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Thanks for your post! The article you linked says you'll need to modify the default rule so the onPremisesUserPrincipalName attribute isn’t written to the user object. If it's not synchronized in Azure, the guidelines here show how to create an inbound rule override the value of an existing attribute so that the attribute synchronizes to Azure, as well as how to exclude an attribute from synchronization. I've reached out to the Azure AD Connect team for clarity on this as to me it's unclear how to ensure that UPN value does not attach in Azure.
Re-reading your comment, it looks like you followed the correct instructions to nullify the onpremisesuserprincipalname, but Graph will return shadowUPN if onpremisesuserprincipalname is null by design. You might be able to resolve this by changing the userType from member to guest. Have you already tried to do this?
Hi @Kent Hanna ,
Issue summary
When converting synchronized users from Member type to Guest, the onPremisesUserPrincipalName attribute null value is reflected on premises and in the Connector space preview, but not in Azure AD.
Potential resolution
To synchronize the Guest users, you need to enable the synchronization of UserType. By default, the UserType attribute is not enabled for synchronization because there is no corresponding UserType attribute in the on-premises Active Directory. You need to update it to Guest since it will otherwise be set to Member for synchronized users.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration#enable-synchronization-of-usertype
I'm not fully certain if this will resolve the UPN issue (since Graph will return shadowUPN if onpremisesuserprincipalname is null) but it should at least resolve the conversion issue.
-
If the information helped you, please Accept the answer. This will help us and other community members as well.
Thank you for the response. I will research this further and do some testing.