This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 0%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES2%3C/text%3E%3C/svg%3E)
Hello Team,
I hope you all are doing good.
As we know when we need to change the UPN of Synced User from Azure AD, we can change it through the command Set-MsolUserPrincipalName but can we block this command to change the UPN of synced users only i.e. admin should change the UPN from on-premises only for synced users, is it possible?
Regards,
Shashank Saxena
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @Anonymous
Do suggestions above help?
If you have any questions or needed further help on this issue, please feel free to post back.
You wont be able to prevent an admin with the correct permissions from running that command. If there is a reason you do want that ability you will just have to make a policy but no real way to enforce other than removing accounts from the elevated roles that have the permission to make that change
Thanks @Andy David - MVP for the response and sorry for the delayed response.
Don't we have anything through RBAC to limit those changes?