2020 Sep 28

UPN Suffix Change for the Required Users

Sometimes you will need to change the UPNs for the users. Either to have the sync with Azure AD or for something else – it's good to be compliant with the 21st century.

It happens to be a good practice to have the UPN change in the case of the moving forward the Azure environment. I will not describe the synchronization between the on-prem and Azure AD yet, it's just about the requirements to have all the required people to have switched from the UPN suffix they have (for example, domain.local) to the new one, specifically configured for your company's tenant (for example, domain.com).

In the case of Hybrid environment it might be useful to have the synchronization based on OU - in case of the security group you might have troubles of having everything synced correctly and managed easily: the Azure AD Connect synced group doesn't support group inheritance, and nested groups will not make it into the succeeding - you should have the OUs specifically for users and devices you want to have in Azure, all the rest are skipped (service accounts, devices with no need to have the presence in Azure etc.).

In our case we still had a test group for this movement in the moment of script execution, it was used to determine some other accesses and permissions (password policies, for example). So the command looked like this:

Get-ADGroupMember "Group" | %{ $UserObj = Get-ADUser $_; $OldUPN = $UserObj.UserPrincipalName; $NewUPN = $OldUPN.Replace("domain.local","domain.com"); Set-ADUser $UserObj -UserPrincipalName $NewUPN }

In this case we have a AD group with a mysterious name "Group", you can choose whatever you want of course.

After that we check each user from the group, take the UPN, replace the part "domain.local" in it with a "domain.com" string from the suffix, and then we set up the same user a value of a new changed UPN.

If you want to filter the users by the OU instead, you can go with the command below:

Get-ADUser -Filter * -SearchBase "OU=O365,OU=Users,DC=domain,DC=local" | %{ $UserObj = Get-ADUser $_; $OldUPN = $UserObj.UserPrincipalName; $NewUPN = $OldUPN.Replace("domain.local","domain.com"); Set-ADUser $UserObj -UserPrincipalName $NewUPN }

The OU is up to you to determine, you might have the special one for specifically Azure, or another one for the accounts not being synced (believe or not - some service accounts need to have the *.local UPN suffix).

To execute the command you should run it with a privileged account (for example, your domain admin).