Share via

Setting up on-premise User UPN with 2 x Azure Tenants in use

Mark 20 Reputation points
2025-04-17T10:00:57.8366667+00:00

Hi All

I have been tasked with implementing an Azure hybrid cloud solution to host most of the on-premises servers, with the exception of a few that need to be locally hosted.

The company has recently split and 2 sites, that were one company, are now separate companies but share an M365 email and Azure tenant used for shared services.

We have 2 x Azure tenants, lets call them "Tenant A" and "Tenant B".

Tenant A - Is the original tenant that was shared across both sites and handles M365 applications, licenses etc. Let's say the domain used for M365 email is:

@oldcompany,com

Tenant B - Is the newly created Azure tenant to be used to host the on-premises servers and business applications for one of the split companies in a hybrid model and currently uses the default domain let's say:

@new.onmicrosoft.com - Currently the are no custom domains setup.

A landing zone has already been deployed in "Tenant B" to facilitate the server migrations and future cloud adoption for moving forward. I have also created a new ADConnect server to sync on-premises AD to Entra AD in Tenant B.

The on-premises site uses a non routable domain for it's AD, let's call it "onprem.local".

The user accounts all have a UPN of their mailbox on Tenant A (oldcompany.com), although I have now added a UPN suffix of "@new.onmicrosoft.com" but not assigned to any user accounts of yet.

My question is:

If I was to apply the "@new.onmicrosoft.com" (Tenant B) UPN to all users to replace "@oldcompany.com", how would this affect the user email accounts that use "@oldcompany.com" M365 email addresses and MS Office applications hosted in Tenant A?

If there is a better solution to this then please advise as welcome any suggestions and advise?

Many thanks

M

Community Center | Not monitored
0 comments
Accepted answer
  1. Alex Burlachenko 10,255 Reputation points
    2025-04-17T12:54:09.3966667+00:00

    Hi Mark,

    Thank you for providing such a detailed overview of your scenario. Your situation is complex but manageable.

    Direct Answer to Your Question is if you change the on-premises UPN from @oldcompany.com to @new.onmicrosoft.com (Tenant B) while keeping email in Tenant A (@oldcompany.com):

    Email & M365 (Tenant A) Will Continue Working. Email addresses are controlled by the proxyAddresses attribute in Azure AD, not the UPN. Users will still log in to M365 (Tenant A) with @oldcompany.com, but their on-premises login (and Tenant B sync) will use @new.onmicrosoft.com.

    Potential Issues could be a authentication confusion. Users may be prompted for @oldcompany.com (M365) vs. @new.onmicrosoft.com (local/on-prem apps).

    Conditional Access/SSO Conflicts: If policies in Tenant A enforce UPN matching, hybrid workflows may break.

    Licensing/Group Assignments: If scripts or policies rely on UPNs, updates may be needed.

    if its possible avoid @onmicrosoft.com UPNs

    Instead of using @new.onmicrosoft.com, follow this approach Add a Custom Domain to Tenant B (e.g., @newcompany.com). Register a new public domain (e.g., newcompany.com) and verify it in Tenant B. Set this as the primary UPN suffix in on-prem AD (******@newcompany.com).

    Sync to Tenant B with the new UPN (@newcompany.com). Keep @oldcompany.com as an alias (in proxyAddresses) for email in Tenant A.

    As Result users log in to:

    Tenant A (M365): ******@oldcompany.com (email unchanged).

    Tenant B (Hybrid Apps): ******@newcompany.com (clean separation).

    No conflicts, no onmicrosoft.com dependencies.

    rgds,

    Alex

    P.S. If my answer help to you, please Accept my answer

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.