tenant.onmicrosoft.com values not reflecting local AD and Exchange

Joel Furnari 21

Our environment is hybrid, so I cannot make any changes from the Microsoft 365, Azure or Exchange admin center using powershell or UI so anything that starts with connect-msolservice will not work.

Due to recent security changes we have changed user logins to lfirst1234@tenant .com but their email addresses remain last.first@tenant .com.
Recently we have had a couple of new employees created, when the remote mailbox is enabled (from the local exchange management shell) it should generate the smtp:last.first@tenant .onmicrosoft.com alias instead it is generating lfirst1234@tenant .onmicrosoft.com in the Microsoft 365 Admin centers. This is causing some issues with internal email routing from systems as it is looking for the last.first@tenant .onmicrosoft.com address.

Local user account reads: UPN: lfirst1234@tenant .com
Attribute Editor: Every value reads last.first@tenant .com or tenant.onmicrosoft.com except for the userPrincipalName (last edited value) reads like above.
I have tried manually updating the users "inbox" in the exchange server to add the last.first@tenant .onmicrosoft.com the Sync Service manager is working and attributes are selected in the properties of the connectors but it never reflects the change on the Microsoft 365 Admin Center(s)
Does anyone have any ideas how I can force this change up to my Microsoft cloud environment I would be greatly appreciative. I believe I have tried searching everything my little Google-Fu brain can find but I am at a stand still

Thanks.

risolis 8,701 Reputation points

2022-05-10T18:51:54.7+00:00

Hello @Joel Furnari

Thank you for your post on our Microsoft Q&A space.

I would like to clarify for me all the great details given above... When you stated that you made this change >>> we have changed user logins to lfirst1234@tenant .com but their email addresses remain last.first@tenant .com.

Did you change the domain or just the username? If you changed the domain... Did you register it and it is showing up as green lights?

Are you using Azure AD and on-premises you have your AD server? If that's the case so, Do you have your AD connector for this scenario?

Did you go over the Outlook exchange Admin center or where exactly?

Looking forward to your reply back.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Joel Furnari 21 Reputation points

2022-05-10T19:10:32.383+00:00

All we did was change the name the user uses to log in because a security initiative having the same log in username as their email address is inherently insecure, domain remains the same.

AD is local and we have a exchange server local but our mailboxes are hosted in O365. It is referred to as a hybrid format. In short we cannot make changes to AD or Exchange from our cloud environment only our local as changes are only made upstream and not down.

In the Microsoft 365 Admin center select the user, on the "Account" tab it shows "aliases" when you click "Manage username and email" I get the primary email address last.first@tenant .com, the username lfirst1234@tenant .com and under aliases lfirst1234@tenant .com and lfirst1234@tenant .onmicrosoft.com

In the exchange admin center, select the user "General" tab and email addresses. Manage email address types and get the same values as the base 365 Admin Center.

If I go to my local Exchange server and edit the user. On the tab that is labeled "email address" I can see the value(s) SMTP last.first@tenant .com and smtp last.first@tenant .onmicrosoft.com
The last.first@tenant .onmicrosoft.com is what I need to push up to the cloud as that value is not represented in "the cloud" environment.
Charles Buckley 0 Reputation points

2023-09-22T04:15:19.8+00:00

This may answer your question:

Microsoft Entra UserPrincipalName population - Microsoft Entra | Microsoft Learn: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/plan-connect-userprincipalname

2 answers

Joel Furnari 21 Reputation points

2022-05-10T19:08:09.347+00:00

All we did was change the name the user uses to log in because a security initiative having the same log in username as their email address is inherently insecure, domain remains the same.

AD is local and we have a exchange server local but our mailboxes are hosted in O365. It is referred to as a hybrid format. In short we cannot make changes to AD or Exchange from our cloud environment only our local as changes are only made upstream and not down.

In the Microsoft 365 Admin center select the user, on the "Account" tab it shows "aliases" when you click "Manage username and email" I get the primary email address last.first@tenant .com, the username lfirst1234@tenant .com and under aliases lfirst1234@tenant .com and lfirst1234@tenant .onmicrosoft.com

In the exchange admin center, select the user "General" tab and email addresses. Manage email address types and get the same values as the base 365 Admin Center.

If I go to my local Exchange server and edit the user. On the tab that is labeled "email address" I can see the value(s) SMTP last.first@tenant .com and smtp last.first@tenant .onmicrosoft.com
The last.first@tenant .onmicrosoft.com is what I need to push up to the cloud as that value is not represented in "the cloud" environment.
Please sign in to rate this answer.

1 person found this answer helpful.
risolis 8,701 Reputation points

2022-05-10T19:33:02.647+00:00

Many thanks for your quick response!

I wonder if this has to be with this relevant note:

Joel Furnari 21 Reputation points

2022-05-10T20:24:59.413+00:00

I was not the one who originally set this up so I am just got in way over my head, so it might be

I am looking at the users attribute editor in AD, and the value "ms-DS-ConsistencyGuid is <not set>. It is also
not a selected attribute in the ADFS Sync Service.

So this article is suggesting that the objectGuid is a good candidate for the ms-DC-ConsstencyGuid and it was part of the initial ADFS sync that may have never been done.

Or am I way off on this?

risolis 8,701 Reputation points

2022-05-10T20:33:35.463+00:00

Nope, you are right!

Joel Furnari 21 Reputation points

2022-05-11T16:07:41.22+00:00

Alright, I reran the Azure AD Connect and it seemed to pick up on the fact that the ms-DS-ConsistencyGUID was not being used. Now there is a value for that in the users AD attribute. Then added the ms-DS-ConsistencyGuid (group) and (user) as directory extensions as attributes to sync with MS Azure AD Connect.

Sync was successful but the initial problem where I cannot get the user(s) account to add the last.first@tenant .onmicrosoft.com as an alias

risolis 8,701 Reputation points

2022-05-11T16:30:09.943+00:00

Hi,

BR,

Joel Furnari 21 Reputation points

2022-05-11T16:37:51.79+00:00

This does not pertain to my situation, I am not having trouble adding an alias to my personal account, I am having trouble adding an smtp alias to a mailbox to push up to Microsoft Online from my local AD environment.

risolis 8,701 Reputation points

2022-05-11T16:44:17.063+00:00

Ok. Are you doing all of this from Active Directory Administrative Center??

BR,

Joel Furnari 21 Reputation points

2022-05-11T19:00:49.78+00:00

I cannot make any of these changes from the Office 365 Admin center because we are a hybrid environment and changes can only be made from the local active directory and or the local exchange client and all changes are pushed up to the cloud upon ADFS sync.

risolis 8,701 Reputation points

2022-05-11T19:05:44.47+00:00

I know this can only made from on-premises since you explained to me but I am referring to this:

The Active Directory Administrative Center (ADAC) in Windows Server includes enhanced management experience features. These features ease the administrative burden for managing Active Directory Domain Services (AD DS).

I hope this is clearer now.

BR,

Joel Furnari 21 Reputation points

2022-05-11T20:18:07.913+00:00

The ADAC is where I am finding the users and the attribute values from above posts.

risolis 8,701 Reputation points

2022-05-12T07:25:25.397+00:00

Ok got it.

Let me double check this set up and get back to you shortly.

Thanks!
Sign in to comment
risolis 8,701 Reputation points

2022-05-11T03:41:40.503+00:00

Hi @Joel Furnari

I am going a follow up about your concern and in case you need additional assistance please let us know.

BR,
Please sign in to rate this answer.

1 person found this answer helpful.
risolis 8,701 Reputation points

2022-05-15T19:02:05.243+00:00

Hello @Joel Furnari

Thanks for your patience for this update.

I have a possible resolution for this concern but I just wanted first to double-confirm some details if it is ok....

-Is this a Azure AD DS or Azure AD being used on Cloud?
-Why did you say that you can not make any chance directly via PowerShell terminal or admin center? Since this keeps me thinking of Azure AD DS
-Did you mentioned previously that you are not using AD connector for replicas to cloud? Please correct me if I am mistaken.
-Do you have an idea if for the Azure AD DS/Azure AD instances there is a license being used?

Looking forward to your feedback,

Best Regards,

Joel Furnari 21 Reputation points

2022-05-16T18:38:22.453+00:00

-Azure is not being used in the cloud, we are on a hybrid system where our AD is local but syncs using Azure AD Sync Services. Our exchange is hosted in the cloud BUT we have a local install of Exchange that is more or less a console for our hosted exchange.

-We cannot make changes to our local AD or Exchange from the online admin center since it only syncs from our local (in house) environment to the cloud. It does not sync in both directions.

-I am not sure with what you are considering a "connector" we did run "Azure AD Connect" application to set up the connection to the cloud, and then created Azure AD Sync Services instances that trigger ever 30 min to update the 365 Admin center

-I am unsure of the licensing question, but I would think we have some sort of license to be using the service(s) that we have been for some time.

Thanks again for your assistance.

risolis 8,701 Reputation points

2022-05-17T08:15:16.307+00:00

Hi,

Many thanks for your answer.

https://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx >>Check attributes list/Check also for any conditional policy.

https://learn.microsoft.com/en-us/connectors/office365users/ >>> Check the alias/Nickname settings for office365.

https://admin.microsoft.com/adminportal/home?previewoff=false#/modernonboarding/azureadsetup >>> Do you have access to this by any chance? I know you explained this at some moment.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-syncservice-features >>>>> those are the attributes required for replication

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis >>>You can get an idea what syncservice must be needed.

Finally, If I was asking for the license details is because depends on your license that is being used, this can limit the number of object/attributes to replicate to cloud.

Regards,

Joel Furnari 21 Reputation points

2022-05-17T19:59:59.41+00:00

-Attributes that I would think are the ones are being synced, do not see any conditional policy
-Alias and nickname settings are last.first format
-Yes I have full access to the Admin console
-Devicewriteback: False, DirExtentions; True, DuplicateProxyAddressResil: True, DuplicateUPNResil: True, EnableSoftMatchResil: True, PasswordSync: True, SyncUPNForManagers, UnifiedgroupWriteback and UsreWriteback are False.
-We are Office 365 E3 licensed

I was looking around and I did notice something that is very likely related and might simplify my inquiry. I have a user with lets say "davis.betty@keyman .com". All her attributes reflect that name. When she started with the company 6 years ago, her name was boop.betty@keyman .com but changed her name because of marriage. In the Office 365 Management console along with the correct email address davis.betty@keyman .com there is no instance of "smtp:davis.betty@tenant .onmicrosoft.com", just "smtp:boop.betty@tenant .onmicrosoft.com".

So to me it somehow looks like once the username is created and syncs with the cloud creating that "tenant.obmicrosoft.com" as a permanent value which I find hard to believe that MS would be short sighted to do this.

risolis 8,701 Reputation points

2022-05-18T03:34:07.853+00:00

Many thanks for response as well as the heads up given using the example above...
Sign in to comment