Email Attribute No Longer Syncing Properly from On-Prem to Azure AD

Question

Trying to figure out an issue.

Previously when syncing from our On-Prem to Azure, a subset of users who have a username with a subdomain name would sync just fine.
E.G.:
On-Prem mail attribute: ******@subdomain.company.com
AAD attribute: ******@subdomain.company.com

However recently, it's now syncing the first half of the mail attribute correctly, but replacing the domain name with the default tenant domain, so that same user goes from:
On-Prem: ******@subdomain.company.com
AAD: jdoe@mathieu.company .onmicrosoft.com

We had a similar issue beforehand where certain products assigned for O365 would change the email attribute. However, most users are not changing and this seems to only affect new users that are being created.

I've tried removing any licenses assigned to the user, deleting them from Azure and re-syncing, and still coming up with the default Azure domain. Any suggestions?

Answer 1

Hi @Kevin Blair ,

If the users were created in Azure prior to the first sync, AD and Azure will see the users as two different accounts since the GUID will be queried rather than the user name. So if jsmith with a GUID of xxx--yyy-zzz resides on the server and then jsmith with GUID xxx--aaa-bbb gets set to the server, they're going to be seen as two different accounts and since the jsmith username exists, it will create a new one with the onmicrosoft.com domain. Doing a hard match or soft match on the affected users is one way to fix this. See related discussion here where the user was able to resolve this by setting the GUID to immutable ID. See also this explanation of hard matching vs soft matching.

If the username for your on-prem AD is user@Company portal .local or user@Company portal .xyz and the verified domain that you have added is contoso.com, you would need to add an additional UPN suffix in you on-prem AD (for example, contoso.com) and flip the UPN of all users from user@Company portal .local or user@Company portal .xyz to user@Company portal .com. You can use this script to achieve this.

I would also recommend checking the MAIL and PROXY attributes in AD. In PROXY, make sure the mail email address has all-caps SMTP: and any other email address have lowercase smtp:

You can use Powershell to correct this.

Connect-msolservice   

set-msoluserprincipalname -userprincipalname ******@onmicrosoft.com -newuserprincipalname ******@DOMAIN.ABC  

Or you can go to Active Directory Users and Computers > Attribute Editor > proxyaddresses > make sure the email address you want to be their default has SMTP in all capitals - SMTP:******@yourdomain.com

For the issue not to occur again, you need to make sure to set the domain you want as your primary domain under Azure Active Directory > Custom Domain names > Make primary.

See related issues:

Azure AD Connect brings in new accounts defaulting username to @Company portal .onmicrosoft.com
AD's Primary Email defaults to onmicrosoft in Office365
AD sync creating onmicrosoft accounts
.onmicrosoft accounts

Let me know if any of these steps help.

Marilee

-
If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

Answer 2

Still having this issue. For most of our affected users, I was able to set the proxyAddress to caps with the proper domain we wanted and that fixed the issue.

However one account is having a persistent issue where no matter what I set their proxyaddress to, it does not seem to sync up to Azure.

I've deleted their object from Azure many times now, and re-sync'd, but it always returns back the same way.