During an ongoing Office 365 deployment, we identified an issue with Office 365 customers not being able to change a user’s UPN if both UPN’s are in federated domains. We have identified and validated a work-around, please see the guidance below. Thanks to Dmitry Kazantsev for help in the write-up, this has also been posted on the Office 365 Community Wiki.

UPN Rename to another federated domain

  1. We cannot rename the UPN of a user when user account is moving from one federated domain to another (such as john@contoso1.com to john@contoso2.com)
  2. We can rename UPN of a user when user account is moving from one federated domain to a standard (non-federated) domain (such as john@contoso1.com to john@contosofoo.com)
  3. Directory Sync cannot be used to rename a UPN from a federated domain to a managed domain because of a defect. A fix is in the works but not yet available.
  4. The Office 365 Portal GUI cannot be used to rename a UPN from a federated domain to a managed domain because the object is DirSync’d and the GUI will not allow you to modify DirSync’d objects. Microsoft Online Services Module for Windows Powershell can be used to rename a user’s UPN in Office 365.

Therefore for us to provide customers with UPN rename functionality we will have to engineer some sort of the provisioning process that will provide two-step rename via a standard (non-federated domain). The steps below illustrate such process with a use-case scenario with the fictitious company Contoso. We will assume that Contoso has a default standard (non-federated) domain of contoso.onmicrosoft.com and contoso1.com and contoso2.com both of which are federated domains, and that Contoso is running Directory Sync:

 

  1. John, who is working in Contoso’s Subsidiary, Contoso1, currently has his UPN set to John@contoso1.com. Contoso1.com is a Federated domain.
  2. John is moving into his new role in Contoso’s Subsidiary, Contoso2; therefore his UPN should be changed to John@contoso2.com. Contoso2.com is a Federated domain.
  3. We will rename John’s Office 365 UPN to a federated domain via Microsoft Online Services Module for Windows PowerShell using the command: set-msoluserprincipalname – UserPrincipalName john@contoso1.com -new UserPrincipalName john@contoso.onmicrosoft.com
  4. John’s mailbox will be preserved, but a new password for John’s managed account needs to be established if they need to access the resources immediately, if not this can be skipped.
  5. The on-premises AD administrator will now need to modify John’s account with the new john@contoso2.com UPN.
  6. Force Directory Sync to propagate the change to Office 365 (or wait up to 3 hours).
    1. Directory Sync will update the value into the cloud and successfully move John’s account back to federated account, from the contoso.onmicrosoft.com standard domain. John’s mailbox is again preserved and John will be able to access his mailbox with new UPN and AD password.