This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 6%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
We currently have two verified domains in our tenant. One is the primary UPN suffix in our onsite Active Directory and is already synchronised with AAD Connect and federated with ADFS.
Now we want to do the same with the second domain - synchronise and federate - but some users have already been created natively in the cloud using this domain as their UPN suffix.
What will happen to their accounts if we set up synchronisation and enable federation for the second domain using AAD Connect now? Will they automatically be directed to our ADFS for login to Office 365 and other services, where they will no longer have a valid account because they don't exist in our on-premises Active Directory? Or will they still be able to sign in as fully cloud native users, with only users synchronised from our onsite directory being redirected to ADFS for login?
In this case, there are 2 things that you would need to keep in mind.
OriginalPrefix + 4DigitNumber @ InitialTenantDomain .onmicrosoft.com
If you want to use the exiting UPN, you would either need to rename or remove the existing cloud accounts before synchronizing the new users with same UPN. Also, the redirection to ADFS will be done on the basis of UPN suffix which means cloud only users will also be redirected to ADFS and won't be able to authenticate in that case. So, the UPN for cloud only users should be either configured to use a custom managed domain or the .onmicrosoft.com domain.
Read more:
Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.
Very helpful answer and useful reference articles, thank you very much.
We'll just have to migrate those cloud native users to our onsite Active Directory before federating the UPN, thankfully there aren't too many of them yet.