Federating and synchronising verified domain with existing AAD user accounts

Håvid Asgaut Falch 21 Reputation points
2020-06-05T07:17:48.41+00:00

We currently have two verified domains in our tenant. One is the primary UPN suffix in our onsite Active Directory and is already synchronised with AAD Connect and federated with ADFS.

Now we want to do the same with the second domain - synchronise and federate - but some users have already been created natively in the cloud using this domain as their UPN suffix.
What will happen to their accounts if we set up synchronisation and enable federation for the second domain using AAD Connect now? Will they automatically be directed to our ADFS for login to Office 365 and other services, where they will no longer have a valid account because they don't exist in our on-premises Active Directory? Or will they still be able to sign in as fully cloud native users, with only users synchronised from our onsite directory being redirected to ADFS for login?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,220 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,445 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,486 Reputation points
    2020-06-05T07:54:34.623+00:00

    Hi @Håvid Asgaut Falch

    In this case, there are 2 things that you would need to keep in mind.

    1. While federating the second custom domain, you would need to use -SupportMultipleDomain switch in the cmdlet. Convert-MsolDomainToFederated -DomainName your_domain_name -SupportMultipleDomain
      1. If there are existing cloud users that are using same UPN, there won't be any errors due to Duplicate Attribute Resiliency feature. The UPN for newly synced users will be generated as per below format:

    OriginalPrefix + 4DigitNumber @ InitialTenantDomain .onmicrosoft.com

    If you want to use the exiting UPN, you would either need to rename or remove the existing cloud accounts before synchronizing the new users with same UPN. Also, the redirection to ADFS will be done on the basis of UPN suffix which means cloud only users will also be redirected to ADFS and won't be able to authenticate in that case. So, the UPN for cloud only users should be either configured to use a custom managed domain or the .onmicrosoft.com domain.

    Read more:


    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Håvid Asgaut Falch 21 Reputation points
    2020-06-05T09:47:04.473+00:00

    Very helpful answer and useful reference articles, thank you very much.
    We'll just have to migrate those cloud native users to our onsite Active Directory before federating the UPN, thankfully there aren't too many of them yet.

    0 comments No comments