AD Connect rules?

Deni Beslic 21 Reputation points
2021-02-14T17:22:57.517+00:00

Hi, I need to create AD Connect rule and I need some help with it.We have in our environment non routable domain, lets call it contoso.local and we would like users from that domain to have UPN sufix in Azure AD contoso.com (we have our own verified domain). So we need to create a rule that would sync all users from AD UPN contoso.local to Azure AD UPN contoso.com.I am not sure if we need a second rule for second custom domain which is routable on-prem and its UPN sufix is added to Azure AD. For example we have fabrikam.com on-prem and in Azure AD (the same forest as previous). Or will that just sync by default since UPN sufixes are the same.

Thank you,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,418 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,666 Reputation points
    2021-02-16T13:49:04.767+00:00

    Hello @Deni Beslic ,

    Thanks for reaching out.

    When you synchronize your on-premises directory with Azure AD , you have to have a verified domain in Azure Active Directory (Azure AD). Only the User Principal Names (UPNs) that are associated with the on-premises Active Directory Domain Services (AD DS) domain are synchronized. However, any UPN that contains a non-routable domain, such as ".local" (example: billa@Company portal .local), will be synchronized to an .onmicrosoft.com domain (example: billa@Company portal .onmicrosoft.com).

    If you currently use a ".local" domain for your user accounts in AD DS, it's recommended that you change them to use a verified domain, such as billa@Company portal .com, in order to properly synchronize with your Azure AD verified domain.

    Alternatively, you could set your verified Domain as Primary in Azure AD for example, contoso.com. Every user that has the domain contoso.local is then updated to contoso.com while synchronizing to Azure AD. This is a very involved process, this setting won’t influence the existing accounts which was synchronized to azure AD in past. However, an easier solution is described in the following section.

    In Azure AD Domains section, you can verify current PRIMARY DOMAIN.

    68666-image.png

    in additionally, if on-premises second custom domain for example, fabrikam.com which is routable on-prem, same domain is added and verified in Azure AD then users will just sync by default since UPN suffixes are the same.

    For more information: https://learn.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide

    ------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.