Skill 4.1: Prepare on-premises Active Directory for Azure AD Connect
- 11/7/2017
- Azure Active Directory Connect
- Cleaning up existing Active Directory objects
- Using UPN suffixes and non-routable domains
- Planning for filtering Active Directory
- Supporting multiple forests
- Azure AD Connect Sign-on options
Using UPN suffixes and non-routable domains
Prior to performing synchronization between an on-premises Active Directory environment and an Azure Active Directory instance used to support an Office 365 tenancy, you must ensure that all user account objects in the on-premises Active Directory environment are configured with a value for the UPN suffix that is able to function for both the on-premises environment and Office 365.
This is not a problem when an organization’s internal Active Directory domain suffix is a publicly routable domain. For example, a domain name, such as contoso.com or adatum.com that is resolvable by public DNS servers will suffice. Things become more complicated when the organization’s internal active directory domain suffix is not publicly routable. For example, Figure 4-4 shows the adatum346ER.internal non-routable domain.
FIGURE 4-4 Non routable domain
If a domain is non-routable, the default routing domain—for example, adatum346ER.onmicrosoft.com—should be used for the Office 365 UPN suffix. This requires modifying the UPN suffix of accounts stored in the on-premises Active Directory instance. Modification of UPN after initial synchronization has occurred is not supported. This means that you need to ensure that on-premises Active Directory UPNs are properly configured prior to performing initial synchronization using Azure AD Connect.
To add a UPN suffix to the on-premises Active Directory in the event that the Active Directory domain uses a non-routable namespace, perform the following steps:
Open the Active Directory Domains And Trust console and select Active Directory Domains And Trusts.
On the Action menu, click Properties.
On the UPN Suffixes tab, enter the UPN suffix to be used with Office 365. Figure 4-5 shows the UPN suffix of adatum346ER.onmicrosoft.com.
FIGURE 4-5 Non routable domain
Once the UPN suffix has been added in Active Directory Domains And Trusts, you can assign the UPN suffix to user accounts. You can do this manually as shown in Figure 4-6 by using the Account tab of the user’s properties dialog box in Active Directory Users And Computers.
FIGURE 4-6 Configure UPN
You can use tools like ADModify.NET to reset the UPNs of multiple accounts as shown in Figure 4-7.
FIGURE 4-7 ADModify.NET
You can also use Microsoft PowerShell scripts to reset the UPNs of multiple user accounts. For example, the following script resets UPN suffixes of all user accounts in the adatum346ER.internal domain to adatum346ER.onmicrosoft.com.
Get-ADUser -Filter {UserPrincipalName -like "*@adatum346ER.internal"} -SearchBase
"DC=adatum346ER,DC=internal" |
ForEach-Object {
$UPN =
$_.UserPrincipalName.Replace("adatum346.internal","adatum346ER.onmicrosoft.com")
Set-ADUser $_ -UserPrincipalName $UPN
}