25,081 questions
Change the UPN in Azure for those users to the onmicrosoft.com one or create a breakglass GLobal Admin account and set that to the onmicrosoft.com UPN suffix
unable to login using onmicrosoft.com
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Jamal Ahmed
1
Reputation point
Hi
Azure AD is cloud only, user UPN is username@keyman .com
user can login using username@keyman .com but user cannot login using username@X .onmicrosoft.com ( xxx.onmicrosoft.com is the issuer domain)
We are planning to move users to a different tenant using same domain name, but we do not want to lose access to the old tenant.
is there a way user can login using username@X .onmicrosoft.com or do we have to create a generic user with global admin right to login to the tenant?
Thanks
Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator2022-06-30T17:30:34.983+00:00 @Jamal Ahmed
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment
3 answers
Sort by: Most helpful
-
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator2022-06-29T15:18:36.303+00:00 -
Wes Brooks 81 Reputation points2022-06-29T15:28:06.77+00:00 Hey @Jamal Ahmed ,
So if I am understanding the question correctly You are planning a tenant to tenant migration in which you will be migrating the domain(@keyman .com) and users to Newtenant.onmicrosoft.com however you want users to still have access to the old tenant(@oldtenant.onmicrosoft.com).Before AAD will even let you remove the domain from the current tenant to move it to the new tenant it will require you to remove all proxy addresses with that domain and change every UPN in your tenant to another current accepted domain(oldtenant.onmicrosoft.com for example) as you cannot have one domain under two tenants. So for your cloud only objects when you switch the UPN for the users in your old tenant that need access to the tenant under @oldtenant.onmirosoft.com make it ******@oldtenant.onmirosoft.com. They will then be able to login to the old tenant with ******@oldtenant.onmicrosoft.com and(post migration) the new tenant with user@keyman .com. This will require they have a user object on both tenants. For hybrid synced objects this is more complicated as the source of authority for these objects is AD on prem which you will likely need to point to your new tenant during Migration. This has multiple possible resolutions.
I recommend checking out the Tenant to Tenant Architecture model found here: https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-tenant-to-tenant-migrations?view=o365-worldwideIf you find this answer helpful remember to mark the question as answered.
Regards,
-Wes -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)