Changing UPN of Federated User in Azure/O365 - using Azure AD V2 PowerShell

Changing UPN of Federated User in Azure/O365 – using Azure AD V2 PowerShell

By Arghya Roy  •  May 23, 2017  •  27071 Views

Changing UPN of Federated User in Azure/O365 – using Azure AD V2 PowerShell

This article is about the new and updated version of PowerShell module V2 used in changing UPN of federated user in Azure/O365. In case you are looking for steps in PowerShell V1, please refer to the article here nicely documented by my colleague.

The mandatory requirement for a user to authenticate to O365/Azure using UPN gives administrators a challenge in changing UPN when all domains are federated. To avoid complexity of login and SSO consideration, best practice is to keep users UPN matching with the User’s Primary SMTP domain. This article will help you understand the workarounds needed with minimum service disruption.

Fundamentally, there are 2 ways to change the UPN of a user if the domain is already federated. We must follow these process to avoid the conventional way of changing UPN, which requires us to un-federate the domain with O365, change UPN and federate the domain back in O365. This will invite some service interruption and will affect all users belonging to the same domain

Install and configure AzureAD V2 PowerShell Module, Versioin 2.0.0.71

  • To check if windows PowerShell has the Azure AD module installed, execute the below command in PowerShell and if it does not return any value, you need to proceed to the installation. Get-Module –Name AzureAD
Changing UPN of Federated User in Azure/O365 - using Azure AD V2 PowerShell
  • Download and save the Azure AD module with the command Save-Module -Name AzureAD -Path <path> -RequiredVersion 2.0.0.71
Changing UPN of Federated User in Azure/O365 - using Azure AD V2 PowerShell
  • Then install the module with the command Install-Module -Name AzureAD -RequiredVersion 2.0.0.71
Changing UPN of Federated User in Azure/O365 - using Azure AD V2 PowerShell
  • Confirm the module type and version.
Changing UPN of Federated User in Azure/O365 - using Azure AD V2 PowerShell
  • Now, to connect to “AzureAD”, execute the command “connect-AzureAD”. Provide the credential of “Global Admin”.
Changing UPN of Federated User in Azure/O365 - using Azure AD V2 PowerShell

Also Read: Okta to Azure AD Migration

Change UPN Method 1:

Execute the command to change the UPN of the target user to unfederated or o365 default domain and then change it back to the required UPN.

PS> Set-AzureADUser -ObjectId “user@currentUPN.com” -UserPrincipalName “user@tenantname.onmicrosoft.com”

PS> Set-AzureADUser -ObjectId ““user@tenantname.onmicrosoft.com” -UserPrincipalName “user@newdomain.com”

An error with the tag line “Property passwordProfile.password value is required but is empty or missing” may occur if the user being synced by “Azure AD Connect” from on-premises AD and the password policies like “Password Complexity Policy” & “Password Expiration Policy” are applied.

Changing UPN of Federated User in Azure/O365 - using Azure AD V2 PowerShell

Hence, to avoid those errors, ensure if there are any password policies for the organization before executing the command. In event of any such policies, then follow “Method 2”.

Change UPN Method 2:

  • If all the domain suffix is federated in AD then we must add another additional UPN suffix
    Use this suffix as an initial domain for the users whose UPN needs to be changed.
  • Start the AD replication with the command “repadmin /syncall /a /p /e /d”
  • Start full synchronization of your ADConnect tool with the command “Start-ADSyncSyncCycle -PolicyType Initial” in “Azure AD Connect”.
  • Ensure the user’s UPN has changed to O365 default domain. i.e. “user@tenantname.onmicrosoft.com”
  • Now change the UPN of the target user in AD into the required UPN.
  • Start the replication with the command “repadmin /syncall /a /p /e /d
  • Start full synchronization to O365 with the command “Start-ADSyncSyncCycle -PolicyType Initial” in “Azure AD Connect”.

Ensure in O365 the UPN has changed for the users in new domain suffix.

1 comment

  1. Thank you VERY much for this. Command worked like a champ. My user had been created in 365, then in AD, then AD connect was installed. As a result, I have two entries for this user in AzureAD. Of course, the REAL one (the one I created in 365, wasn’t the one getting added to a distribution list managed by the server AD.

Leave a comment

Your email address will not be published. Required fields are marked *

Dublin Chamber of Commerce
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Fast Track
Microsoft Partner
Microsoft Fabric
MISA
MISA
Unravel The Complex
Stay Connected

Subscribe and receive the latest insights

Netwoven Inc. - Microsoft Solutions Partner

Get involved by tagging Netwoven experiences using our official hashtag #UnravelTheComplex