How to change domain name embedded in guest UPNs?

Rand Scullard 21 Reputation points
2021-03-02T15:17:55.08+00:00

When I first set up my Azure Active Directory tenant, Azure made me choose an initial domain name based on onmicrosoft.com, for example contosoorg.onmicrosoft.com. The help text says "By default, a basic domain name at 'onmicrosoft.com' is included with your directory. Later, you can add a domain name that your organization already uses, such as 'contoso.com'." Because of this, I didn't think the initial domain name would be a big deal. Once I set up the tenant, I configured a custom domain name, for example contoso.com. I set the primary domain name of my AAD tenant to the new custom domain name. Everything seemed to be working fine.

Then I started inviting guest users. Each one that I have invited got assigned a UPN that looks like this: john.doe_somecompany.com#EXT#@contosoorg.onmicrosoft.com. Note that AAD is still embedding the initial domain name in the UPN instead of the primary domain name.

This is not causing any problems with functionality, but the oddball domain name has been noticed and I've been asked whether we can change this. Now would be the time to do it since we are just testing and have not rolled out the tenant to actual users. Anyone know if there is a way to change the domain name that AAD uses to generate UPNs?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions
0 comments
Accepted answer
  1. Vasil Michev 94,836 Reputation points MVP
    2021-03-02T18:55:07.17+00:00

    It should be using the default name, but it really doesnt matter. Those users do not authenticate against your Azure AD tenant, so the domain part of the UPN makes no difference. If needed, you can change it via PowerShell, but again, why bother. 

    Set-MsolUserPrincipalName -UserPrincipalName "aaaaaaaaaaa#EXT#@domain.onmicrosoft.com" -NewUserPrincipalName "aaaaaaaaaaa#EXT#@domain.com"

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Laurent MARTINET 6 Reputation points
    2021-07-13T15:58:07.613+00:00

    This point matters because when you have to map the UPN to a third party application for SSO, and the third party application does not know the domaine #EXT#@tenant .onmicrosoft.com, then the authentication fails.
    I tried to rename the account using the powershell command, but as expected, I got this result:

    Set-MsolUserPrincipalName : Unable to update this user because the user principal name provided is not on a verified domain.

    For other reasons, I cannot map the email address in my SSO "User Attributes & Claims" and I am stuck with this weird domain name. The third party application is SalesForce.
    If anybody has a trick for that, I would appreciate!

    1 person found this answer helpful.
  2. Rand Scullard 21 Reputation points
    2021-03-02T19:53:13.593+00:00

    OK, I was able to change it via PowerShell - thanks! (The answer to "why bother" is that now I can answer the person who asked, and save myself some trouble...)

    I would still like it to generate the UPN with the correct domain name. This current behavior seems like a bug in Azure.

    0 comments
  3. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-03-03T05:12:03.413+00:00

    @Rand Scullard The current behavior is by design from Azure AD side and is not a bug actually. The user principal name (UPN) of the guest user account uses a prefix derived from the invitee's email address, combined with the tenant's initial domain—for example: prefix#EXT#@tenant .onmicrosoft.com

    I can see that @Vasil Michev has already answered your query, please accept his response as answer if it helped you so that it can benefit someone who is coming to this post in future.

    0 comments