When there was a name change in Active Directory (AD), we used to update the Universal Principal Name (UPN) in AD, then separately run the Set-MsolUserPrincipalName command to update Azure AD to the same UPN. Except, it no longer worked – I was now getting an ‘Access Denied’ message.
When trying to update the UPN via the Microsoft 365 admin center, it would correctly advise that the object was homed in AD, so changes needed to be made there. Except, they were, and Azure AD Connect was even reporting that it had seen the update and sent it off to Azure AD, no errors.
After some investigation, I found that there is now an option to allow ‘Synchronize userPrincipalName updates‘ which is off in older tenants. To check and update this:
Get-MsolDirSyncFeatures -Feature SynchronizeUpnForManagedUsers
If it’s $true, you’re already set. If it’s $false, update the value to $true with this command:
Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers -Enable $true
In my testing, running another Azure AD Sync (both delta and full) did not resolve any already updated UPNs. I had to change the UPNs to a temporary value, sync, then change them back to the original value I wanted, and sync again. The update was instant in Azure AD once the sync had run each time.