This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 7.000000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hey everyone,
We are in process of implementing intune in our org. We have an onprem domain with domainname.corp and Azure Ad domain with domainname.com
On-premdomain: domainname.corp, domainname.com(Alternate domain)
AzureADdomain: domainname.com
Everything has been working fine since this setup which was couple of years ago, syncs are happening fine and Azure syncs the user fine with domainname.com as the users UPN.
We have intune setup for auto enrollment which has been fine so far for new machine setups.
For existing machines which are joined to our on-prem AD domainname.corp, the GPO is setup and it is initiating the join to Azure AD as expected by scheduling the tasks in scheduler
The issue we are having is user UPN, where they login to the machine with username@domainname.corp and it is failing the intune enrolment in the process because the UPN is not matching with Azure.
The solution at the moment is that we need to change the User object on the On-prem AD to be able to use the alternate domain domainname.com and then user can login with that FQDN on machine.
Would like to know if anyone else is having similar problem and is there a way where we can keep the domainname.corp sign in for the user and successfully use the GPO to enroll machines.
Thank you in advance for all the help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Rookie{} , For GPO enrollment, one prerequisite is AzureAdPrt needs to be Yes.
https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#verify-auto-enrollment-requirements-and-settings
If the on-premises AD users UPNs are different from your Azure AD UPN, Windows 10 or newer hybrid Azure AD join provides limited support for on-premises AD UPNs based on the authentication method. We can see if our scenario is supported.
https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join
In some environment, to make the AzureAdPrt as Yes, we will choose the same method as yours to add the UPN suffix in on-premise domain to make it works.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Rookie{} , Hope things are going well. I am writing to see if there's anything unclear in my previous post. if yes, feel free to let us know.
Have a nice day!
Hi Crystal,
Yes the post was a helpful. I do see our or internal/on prem domain as verified in Azure AD. I am trying to check this attribute 'onPremisesUserPrincipalName' by connecting to Azure AD on PowerShell and checking on User for this attribute, but unable to find it.
Does this attribute populate when we have alternate signin to be configured on Azure AD connect ?
@Rookie{} , Thanks for the reply. As Intune support, I am not familiar with this. Then I go to do some research and find maybe we can check the "onPremisesUserPrincipalName" to the user entity through Beta version of Microsoft Graph Explorer.
Meanwhile, we can check if our UPN suffix is verified. Here is a link for the reference:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname#verified-upn-suffix
For more questions about Azure AD connect or Azure AD, to get correct support, I suggest to open a new thread and add tag like "azure-active-directory", "azure-ad-connect" .
Thanks for the understanding.