When you want to change the user UPN, in certain conditions, this UPN change will not be synchronized to AAD (Office365/Intune/other).. why?
When you have federated domains for Office 365, or rather AAD in general and you want to switch your users from one domain to another, you will notice that that object will replicate anymore to AAD (and thus Office 365). I noticed this a long time ago, and it seems Microsoft now also posted this as a known KB a few weeks ago..
The solution for this is to move your user first to a “managed” domain or the default domain.
Lets say we have 3 domains configured in AAD (O365, Intune, etc)
Rootdomain.nl (Federated)
Forestroot.com (Federated)
AzureInfra.com (Managed)
mydomain.onmicrosoft.com (Managed – built-in)
If your users use: user@rootdomain.nl and need to go to user@forestroot.com, the sync should happen as follows:
1: Set the user UPN in AD to AzureInfra.com OR the local domain (domain.local for example)
2: Perform a sync and ensure that the user UPN indeed changed in AAD (get-msoluser from powershell, or through the portal)
3: Set the user UPN to user@forestroot.com
4: Perform a sync and ensure that the user UPN indeed changed in AAD (get-msoluser from powershell, or through the portal)
When the user UPN needs to change from user@rootdomain.nl to user@azureinfra.com, there is no problem and all should work flawlessly.
So it’s a bit cumbersome going from federated to federated…. but it seems to do the trick.. and all for security 😉
More info on the actual KB.. and also the PowerShell shortcut: https://support.microsoft.com/en-us/help/2669550/changes-aren-t-synced-by-the-azure-active-directory-sync-tool-after-you-change-the-upn-of-a-user-account-to-use-a-different-federated-domain