AzureAD synchronization fails after adjusting USER PRINCIPAL NAME

It happens that you the user principal name (User Principal Name) of a user in Active Directory to customize your OnPrem. These are not adjustments that you want to do daily. The UPN integrates often in applications. This allows an adjustment best what impact. If you are using a federated identity within AzureAD then adjusting the UPN also impact. It ensures that syncing works correctly. As an Administrator you will get the following error message mailed:

This object could not be updated because the Active Directory attribute in Azure [Federated User. UserPrincipalName] is invalid. Update the value in your local directory services.

To fix this you must follow these steps:

  1. Check USER PRINCIPAL NAME under which the user is known within AzureAD, for example, via portal.azure.com. This UPN is different so the UPN in the OnPrem AD and in the email with the error message that you received.
  2. For example, the AzureAD Connect start PowerShell on server, There must be a Azure Active Directory PowerShell module installed.
  3. For the following PowerShell command: Connect-MsolService. Login with an account that has rights to users to mutate.
  4. For the following PowerShell command: Get-MsolUser-UserPrincipalName UPN@AzureAD.nl. The UPN is UPN@AzureAD.nl you in step 1 have looked up.
  5. For the following PowerShell command: Set-MsolUserPrincipalName-NewUserPrincipalName UPN@Tenant.onmicrosoft.com UPN@AzureAD.nl-UserPrincipalName. UPN@Tenant.onmicrosoft.com is a temporary UPN. Vervant Tenant by the name of your own tenant.
  6. For the following PowerShell command: Get-MsolUser-UserPrincipalName UPN@Tenant.onmicrosoft.com. This will make sure that the adjustment of UPN is passed.
  7. For the following PowerShell command: Set-MsolUserPrincipalName-NewUserPrincipalName UPN@ADonprem.nl UPN@Tenant.onmicrosoft.com-UserPrincipalName. UPN@ADonprem.nl is the UPN that the user has Active Directory in your OnPrem. With this step you bring so you on-prem Active Directory and Active Directory in Sync with each other again Azure.
  8. For the following PowerShell command: Get-MsolUser-UserPrincipalName UPN@ADonprem.nl. This will make sure that the adjustment of UPN is passed.

The synchronization should now no error messages may give more. the problem then is this also solved.

 

Leave a Reply