Active Directory Azure

Hybrid Azure AD Join – Adding domain UPN Suffix

Preparing Hybrid Azure AD Join

Hybrid Azure AD Join allows you to connect your on premises AD to your Azure AD. With Hybrid Azure AD Join, below benefits become available to you.

  • Single sign-on to cloud resources
  • Device-based conditional access
  • Windows Hello for Business
  • Automatic device licensing
  • self-service password reset
  • BitLocker recovery key
  • Enterprise state roaming

It is recommended to enable the AD Recycle Bin feature in your on premise environment. In case if an object is deleted by accident, restoring it from the recycle Bin will also restore the object in Azure AD.

To enable AD Recycle Bin feature, go to Active Directory Administrative Center from your Server manager.

You can then either right click on your domain or highlight it and select “Enable Recycle Bin” from the right pane.

You will also need to add the domain UPN suffix in your on premise AD. If you have a custom domain name, you will use that. Don’t forget to add that to your Azure AD as well. To do so, go to Azure AD portal -> custom domain names.

I am not going to add a custom domain name. What I am going to do is to use this domain and add that as the UPN suffix to my on premise AD.

To do so, go to Server Manager -> Active Directory Domains and Trusts

Right click on “Active Directory Domains and Trusts” and select properties.

copy and paste the whole custom domain name from Azure AD here and select Add. this should include the whole thing, whatever _____ is in your case.

You will need to go to the properties of each user and change the domain to the newly added UPN suffix. You can do it manually if you only have very few users, otherwise you can also do it using PowerShell.

#Put your on Premise UPN between the "" below
$UPN = ""
#Put your Azure AD UPN between the "" below
$aadUPN = ""

$Users = Get-ADUser -Filter "UserPrincipalName -like '$UPN'" -Properties userPrincipalName -ResultSetSize $null

$Users | foreach {$NewUpn = $_.UserPrincipalName.Replace($UPN,$aadUPN); $_ | Set-ADUser -UserPrincipalName $NewUpn}

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s