Azure AD Connect change sync key userprincipalname to mail attribute

What is the recommended way to change the sync attribute from userPrincipalName to mail eg

Option to set USER PRINCIPAL NAME You only get this option when you FIRST install AD connect

As far as I can tell, its disable sync, remove and re-install.

Solution 1:

As far as I can tell, its disable sync, remove and re-install.

Yes, you are in the configure page, you can select mail to sign in.

In your scenario, you can use Remove-AzureADUser to delete those users in Azure AD, then use this new Azure AD connect to sync them again, in this way, your users can use mail address to sign in.

Solution 2:

Actually, it's possible. You have to use Synchronization Rules Editor for that. Had a similar issue and had to solve it. I've written a blog post about it.

Basically, you need to find rules that contain UserPrincipalName (as on screens below)

enter image description here

And finally, you replace

IIF(IsPresent([userPrincipalName]),[userPrincipalName], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))

To:

IIF(IsPresent([mail]),[mail], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))

You change it in any rules that have those (should be 2 on default connectors). Obviously, it doesn't have to be mail. It can be anything that is unique enough for you.

Azure AD Connect change sync key userprincipalname to mail attribute

Solution 1:

Solution 2:

Related

Recent Posts