Azure AD Connect with .local domain

Adam 21 Reputation points

I am having trouble synchronizing my Azure AD domain with the on-premise .local domain. I am trying to accomplish this with the Azure AD Connect app. I added UPN suffix to Windows Server that match my domain but it is not visible in part of installation called "Azure AD sign-in" It shows that Active Directory UPN Suffixes are "Not Added" to Azure AD Domain I've seen it should show "Verified". Does somebody know how to fix this issue.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,368 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,546 Reputation points

    Hello @Adam-4611,

    This behavior is expected because Azure AD Connect only synchronizes users to domains that are verified by Azure AD and you can't use <domainname> for synchronization.

    The domain has to be a valid Internet domain (such as, .com, .org, .net, .us). Therefore, use different name other than for your organization which you can buy it from Domain Name providers (like: GOdaddy).

    If you have plan to buy a new domain in later sometime, then no need to add UPN suffixes as and just proceed further by selecting "Continue without matching all UPN suffixes to verified domain" option as show below, so any UPN that contains a non-routable domain, such as ".local" (example: billa@Company portal .local), will be synchronized to an domain (example: billa@Company portal


    Once you add and verify the domain in Azure AD then you can add same name as UPN suffixes in local AD and update to user that suffix name so that Azure AD connect sync updated all synchronized with new suffix name.

    More information:

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 140.8K Reputation points MVP

    You wouldnt add the domain to on-prem AD. You would add a custom domain that you have verified in Azure, then set that new domain as the UPN suffix for users on-prem:

    1 person found this answer helpful.
    0 comments No comments

  2. Adam 21 Reputation points

    Thanks for these answers, I got it working. However, I have some questions, will adding UPN suffixes break stuff? For example, we have an external email server outside our domain, email is configured so it has the same domain as my Microsoft Organization AND UPN suffix, so will users connected to the domain still be able to send emails? Also, I have a problem with users that were invited to my organization but now joined it. They have #EXT# inside their UPN so is it possible to change them somehow to be synchronized as well as different users? Or at least create new users and transfer all Office and Teams data to it from these "#EXT#" users.