Fix Wrong Domain for Users Azure Active Directory

I ran into a problem where a user couldn’t sign into Intune, which uses Azure Active Directory to authenticate users.

After checking the user in question on the Azure Active Directory portal, I noticed the domain was wrong:

aad

The user was being synced from On Premise Active Directory, so I had a look via Users and Computers to see what was going on. The user’s User Principal Name domain field was set differently to other users – instead of the proper mydomain.com, it was set to mydomain.local – another valid internal domain to Active Directory, but not one that Azure Active Directory knew about:

aad2

The unknown domain caused Azure Active Directory to disregard it, and instead use it’s default tennancy domain of wrong.onmicrosoft.com. I thought just changing the dropdown menu to mydomain.com instead of mydomain.local would fix it, but a forced Azure Active Directory Sync sync reported the change was successfully synced, but didn’t actually change the value.

I’m going to guess this is by design, as you don’t usually want logins changing. There is an easy way to change the via PowerShell instead.

Once you’ve run the standard ‘Connect-MsolLService‘ cmdlet, you can use ‘Set-MsolUserPrincipalName‘ to change the user. The full command is:

Set-MSolUserPrincipalName -userprincipalname “[email protected]” -NewUserPrincipalName “[email protected]

Pretty simple, and the change is immediate.

I then realised there may be other users with the same problem, so dediced to use the Active Directory PowerShell Module with this command:

get-aduser -filter * | where {$_.userprincipalname -like “*local*” -and $_.enabled -eq “true”} | select name

This showed all the users who had ‘local’ in their UPN. As there were only a few, I changed them all one by one with the first command above.

The same check can be run against Azure Active Directory users with this command:

get-msoluser -all | where userprincipalname -like “*local*”

Easy!

6 thoughts on “Fix Wrong Domain for Users Azure Active Directory

  1. Hi Adam

    UPN renaming has been an issue for a while now, the DirSync tool (from DirSync through to AAD Connect) will report it as successful but as you discovered it never completes. The only time it will complete is if the user has never been licensed. If the user has been licensed, UPN changes on prem, DirSync attempts the rename & then you drop the license you will find it will not succeed. Best recourse appears to be similar to yours – powershell!

  2. Hi Patrick,

    My users has sample.k12.tr on Azure&Office365. Then I install win2012 server and create users On Premise Active Directory. After DirSync tool users primary e-mail addresses has changed to sample.onmicrosoft.com on Azure&Office365. Why and How can fix this problem?

    Thanks.

    1. Hi Mehmet,
      From memory, the accounts will use their same on prem domain in Office 365 as long as you have that domain added in office 365 already.

      https://portal.office.com/Domains/DomainManager.aspx is where you can see the domains, you’ll need to make sure sample.k12.tr is listed, and if not, add it from that page.

      Once that’s done, you should be able to change your user’s domain from the onmicrosoft one via the command in the original post.

      Please let us know how you go!

  3. I had the same issue , BUT the command did not work as described

    this what worked for as (as it seems for now )
    Set-MSolUserPrincipalName -userprincipalname “[email protected]” -NewUserPrincipalName “[email protected]

    the actual domain was already registered so didn’t had the chance to check if I can do that to any kind of doamin

    1. Hi O,
      The first userprincipalname needs to be whatever the account is now before the change, that’s the only difference I can see with your example.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.