User principal name change in AD not syncing to Microsoft

Question

User principal name change in AD not syncing to Microsoft

Sheila 10

We having users changing their last names but experiencing issues with sync from on-premise AD to microsoft.

This post Why does the userPrincipalName not sync from AD to Azure AD like - Microsoft Community is basically what we are experiencing but wondering why and what command exactly to use?

1 answer

Your answer

Answer 1

Harpreet Singh Matharoo 8,396 Microsoft Employee Moderator

Hello @Sheila ,

Thank you for reaching out to Microsoft QnA forum. Historically, updates to the UserPrincipalName attribute using the sync service from on-premises was blocked, From March 2019, synchronizing UPN changes for federated user accounts is allowed. If your AD Connect setup was performed before 2019 there are high chances that Directory Sync Service feature "SynchronizeUpnForManagedUsersEnabled" is set to False. This results in not sync UPN changes from AD to AAD/Entra ID.

For all new deployments, this feature is on by default for newly created Microsoft Entra directories. You can see if this feature is enabled for you by running:

Connect-MgGraph -Scopes "OnPremDirectorySynchronization.Read.All"
$DirectorySync = Get-MgDirectoryOnPremiseSynchronization
$DirectorySync.Features.SynchronizeUpnForManagedUsersEnabled

If this feature isn't enabled for your Microsoft Entra directory, then you can enable it by running:

Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All"
$SyncUpnManagedUsers = @{ SynchronizeUpnForManagedUsersEnabled = "true" }
Update-MgDirectoryOnPremiseSynchronization -Features $SyncUpnManagedUsers -OnPremisesDirectorySynchronizationId $DirectorySync.Id

After enabling this feature, existing userPrincipalName values remain as-is. On next change of the userPrincipalName attribute on-premises, the normal delta sync on users updates the UPN. Once this feature is enabled, it's not possible to disable it.

For more information on UPN updates please refer following article: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features#synchronize-userprincipalname-updates

Hope this will help. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Sheila 10 Reputation points

2025-01-06T04:57:21.6033333+00:00

Hi Harpreet,

I have checked the settings, and it is set to TRUE. However, after delta sync, the UPN is still not synced through. Anything else I can do?

Thanks, Sheila
Sheila 10 Reputation points

2025-01-06T05:05:19.59+00:00

Hi Harpeet,

Thanks for the info. I have already checked the sync is set to True. And still cant sync UPN using delta sync. Wondering if there's anything else i could try?

Thanks Sheila
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-06T10:09:30.4366667+00:00

Hi @Sheila

Thank you for posting your query on Microsoft Q&A.

It seems that the Directory Sync Service feature "SynchronizeUpnForManagedUsersEnabled" is set to True but still you are experiencing issues with sync from on-premises AD to Microsoft while changing UPN.

Please move those accounts to a non-synced OU (out of scope) and run two delta cycles (then the accounts will be soft deleted in AAD).

After running 2 delta cycles then move them back in-scope and run another delta cycle.

Then check whether any change in UPN in AD syncing to Microsoft.

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.
Sheila 10 Reputation points

2025-01-06T23:54:56.6+00:00

Hi @Bandela Siri Chandana ,

If I move it to a non-synced OU and move it back to synced, will that affect anything stored in the account?

Thanks,

Sheila
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-07T04:29:05.4933333+00:00

Hi @Sheila
Moving a user account from a non-synced Organizational Unit (OU) to a synced OU, and then back to a synced OU, generally won't affect anything stored in the account, this data is soft deleted, allowing for recovery if the object is moved back to a synced OU, it will be eligible for synchronization again. The object will be recreated in Azure AD.

Thanks,

B. Siri Chandana.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-08T07:01:48.6533333+00:00

Hi @Sheila
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-09T01:23:14.52+00:00

Hi @Sheila
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Sheila 10 Reputation points

2025-01-21T01:30:49.22+00:00

Hi @Bandela Siri Chandana

Thanks for chasing up. We have just tried to create a bunch of new users - which theoretically should be synced to Microsoft without issue. However, on microsoft, it is still showing the UPN as alice@onmicrosoft. Wondering if there's anything else we could try?Thanks, Sheila
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-21T06:27:00.1066667+00:00

Hi @Sheila

I understand that still your problem didn't resolve.
Try to run full sync: Start-ADSyncSyncCycle -PolicyType Initial

Follow the document for more information: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/howto-troubleshoot-upn-changes

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.

Share via

User principal name change in AD not syncing to Microsoft

1 answer

Your answer