User principal name change in AD not syncing to Microsoft

Sheila 5

We having users changing their last names but experiencing issues with sync from on-premise AD to microsoft.

This post Why does the userPrincipalName not sync from AD to Azure AD like - Microsoft Community is basically what we are experiencing but wondering why and what command exactly to use?

1 answer

Harpreet Singh Matharoo 8,311 Reputation points Microsoft Employee

2025-01-06T04:19:37.9433333+00:00
Hello @Sheila ,

Thank you for reaching out to Microsoft QnA forum. Historically, updates to the UserPrincipalName attribute using the sync service from on-premises was blocked, From March 2019, synchronizing UPN changes for federated user accounts is allowed. If your AD Connect setup was performed before 2019 there are high chances that Directory Sync Service feature "SynchronizeUpnForManagedUsersEnabled" is set to False. This results in not sync UPN changes from AD to AAD/Entra ID.

For all new deployments, this feature is on by default for newly created Microsoft Entra directories. You can see if this feature is enabled for you by running:

Connect-MgGraph -Scopes "OnPremDirectorySynchronization.Read.All" $DirectorySync = Get-MgDirectoryOnPremiseSynchronization $DirectorySync.Features.SynchronizeUpnForManagedUsersEnabled

If this feature isn't enabled for your Microsoft Entra directory, then you can enable it by running:

Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All" $SyncUpnManagedUsers = @{ SynchronizeUpnForManagedUsersEnabled = "true" } Update-MgDirectoryOnPremiseSynchronization -Features $SyncUpnManagedUsers -OnPremisesDirectorySynchronizationId $DirectorySync.Id

After enabling this feature, existing userPrincipalName values remain as-is. On next change of the userPrincipalName attribute on-premises, the normal delta sync on users updates the UPN. Once this feature is enabled, it's not possible to disable it.

For more information on UPN updates please refer following article: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features#synchronize-userprincipalname-updates

Hope this will help. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Sheila 5 Reputation points

2025-01-06T04:57:21.6033333+00:00

Hi Harpreet,

I have checked the settings, and it is set to TRUE. However, after delta sync, the UPN is still not synced through. Anything else I can do?

Thanks, Sheila

Sheila 5 Reputation points

2025-01-06T05:05:19.59+00:00

Hi Harpeet,

Thanks for the info. I have already checked the sync is set to True. And still cant sync UPN using delta sync. Wondering if there's anything else i could try?

Thanks Sheila

BANDELA Siri Chandana 1,400 Reputation points Microsoft Vendor

2025-01-06T10:09:30.4366667+00:00

Hi @Sheila

Thank you for posting your query on Microsoft Q&A.

It seems that the Directory Sync Service feature "SynchronizeUpnForManagedUsersEnabled" is set to True but still you are experiencing issues with sync from on-premises AD to Microsoft while changing UPN.

Please move those accounts to a non-synced OU (out of scope) and run two delta cycles (then the accounts will be soft deleted in AAD).

After running 2 delta cycles then move them back in-scope and run another delta cycle.

Then check whether any change in UPN in AD syncing to Microsoft.

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.

Sheila 5 Reputation points

2025-01-06T23:54:56.6+00:00

Hi @BANDELA Siri Chandana ,

If I move it to a non-synced OU and move it back to synced, will that affect anything stored in the account?

Thanks,

Sheila

BANDELA Siri Chandana 1,400 Reputation points Microsoft Vendor

2025-01-07T04:29:05.4933333+00:00

Hi @Sheila
Moving a user account from a non-synced Organizational Unit (OU) to a synced OU, and then back to a synced OU, generally won't affect anything stored in the account, this data is soft deleted, allowing for recovery if the object is moved back to a synced OU, it will be eligible for synchronization again. The object will be recreated in Azure AD.

Thanks,

B. Siri Chandana.

BANDELA Siri Chandana 1,400 Reputation points Microsoft Vendor

2025-01-08T07:01:48.6533333+00:00

Hi @Sheila
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

BANDELA Siri Chandana 1,400 Reputation points Microsoft Vendor

2025-01-09T01:23:14.52+00:00

Hi @Sheila
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Sheila 5 Reputation points

2025-01-21T01:30:49.22+00:00

Hi @BANDELA Siri Chandana

Thanks for chasing up. We have just tried to create a bunch of new users - which theoretically should be synced to Microsoft without issue. However, on microsoft, it is still showing the UPN as alice@onmicrosoft. Wondering if there's anything else we could try?Thanks, Sheila

BANDELA Siri Chandana 1,400 Reputation points Microsoft Vendor

2025-01-21T06:27:00.1066667+00:00

Hi @Sheila

I understand that still your problem didn't resolve.
Try to run full sync: Start-ADSyncSyncCycle -PolicyType Initial

Follow the document for more information: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/howto-troubleshoot-upn-changes

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

User principal name change in AD not syncing to Microsoft

1 answer

Your answer