UserPrincipalName – Office 365 Population and Alignment

userprincipalName in Office 365 - Population and Alignment

The userPrincipalName attribute is the email-like logon name seen in your Active Directory user accounts.

UserPrincipalName in Active Directory

Contrary to what most admins believe, the on-premises userPrincipalName attribute is not mandatory. Just take a look at some of your built-in AD accounts:

PS C:\> Get-ADUser -LDAPFilter '(!(userPrincipalName=*))' | ft Name,userPrincipalName

Name              userPrincipalName
----              -----------------
Administrator
Guest
krbtgt
MSOL_1ec2158d0a0d

However, in a hybrid Office 365 environment, a proper userPrincipalName is paramount:

The userPrincipalName of the synchronized Azure AD account is the identifier used to authenticate to Azure resources.

Using a Verified Domain as the UserPrincipalName Suffix

To ensure proper alignment between your on-premises userPrincipalName and your Azure AD userPrincipalName, you should always use a verified Office 365 domain name as your on-premises userPrincipalName suffix.

When your on-premises userPrincipalName suffix matches a verified Office 365 domain, the userPrincipalName of the synchronized Azure AD account will be set to the same value as your on-premises account!

To check your verified domain names in Office 365, connect to MSOnline Service and use the Get-MsolDomain command:

PS C:\> Get-MsolDomain -Status Verified

Name                               Status   Authentication
----                               ------   --------------
skrubbeltrang.mail.onmicrosoft.com Verified Managed
skrubbeltrang.onmicrosoft.com      Verified Managed
azure.skrubbeltrang.com            Verified Managed

Using any of the verified Office 365 domains as your on-premises userPrincipalName suffix will ensure that your userPrincipalName in on-premises and Office 365 will be perfectly aligned.

Using the Default Domain as the UserPrincipalName Suffix

More specifically, in most scenarios, you should opt for the default Office 365 domain as your on-premises userPrincipalName suffix.

You can easily identify your default domain by running the following command:

PS C:\> Get-MsolDomain | Where-Object {$_.IsDefault -eq $true} | ft

Name                    Status   Authentication
----                    ------   --------------
azure.skrubbeltrang.com Verified Managed

In a simple setup where all users share the same mail domain, the email address and the userPrincipalName should match. This offers the best end-user experience and the least support and troubleshooting.

If you use different mail domains for different divisions of your company/organization, you won’t be able to use the default Office 365 domain for all your mail addresses. But you should only use verified Office 365 domains.

Adding Your Verified Office 365 Domains to Active Directory

In order to be able to configure your users with the Office 365 verified domains you may need to add them to your Active Directory.

This is done via the Active Directory Domains and Trusts console.

Right click Active Directory Domains and Trusts and click Properties:

Then add the verified Office 365 domain(s) to the domain list:

When all your domain controllers have synchronized, you’ll be able to select the new domain suffix when configuring the userPrincipalName of your on-premises user accounts.

What Happens When UserPrincipalName Is Not Aligned?

If you configure your on-premises user accounts with userPrincipalName suffixes that don’t exist as verified domains in Office 365 you’re asking for trouble.

Microsoft has designed an ultra-complex algorithm to auto-generate (and update) the mandatory userPrincipalName of synchronized Office 365 users when the on-premises userPrincipalName suffix doesn’t match a verified Office 365 domain.

The algorithm calculates a so-called MOERA (Microsoft Online Email Routing Address) which uses the following components:

  • On-premises mailNickName attribute
  • Prefix of primary SMTP address
  • Prefix of on-premises mail attribute
  • Prefix of on-premises userPrincipalName attribute/Alternate login ID
  • Prefix of secondary smtp address

Based on your local configuration, you’ll sometimes see changes to the Office 365 userPrincipalName when changing any of the above attributes.

Basically, the behavior of your environment in terms of the resulting Office 365 userPrincipalName will be very unique and very hard to troubleshoot.

You can read the full story of the “Microsoft Magic Super UserPrincipalName Calculator” here. 😉

Manage Office 365 From AD Users & Computers

Easy365Manager is a snap-in to Active Directory Users & Computers that allows you to manage Office 365 licenses, Office 365 mailboxes, and a lot more directly from AD user properties.

As an example, you can assign Exchange licenses (mailbox enable) users in a few seconds:

Have a look at the huge feature list (that keeps growing).

Download a fully-functional 30-day trial here.