One of my customers added a new group of users that used their own domain suffix which was not intended to be used in Office 365 from the start. And when we first enabled dirsync it was probably not even possible to have multiple domains but now we wanted these users enabled for Office 365 as well.
And it worked just fine for all but two users and I think that these two users was probably syned before we enabled –SupportMulitpleDomain ( to enable support for multiple domains after you have already enabled dirsync see: http://community.office365.com/en-us/w/sso/support-for-multiple-top-level-domains.aspx?Sort=MostRecent&PageIndex=1 )
So when we looked at the user object one had the .onmicrosoft.com domain and the other had adfsdomain.com. But they both really should be on the domain2.se suffix.
And yes of course, we had double and triple checked the AD and ran through manual synchronizations and forced a full re-syncs by changing the registry as seen below.
Open the Registry Editor and browse to the key:
Search for the FullSyncNeeded value and set it to 1
And then launch the:
%programfiles%\Microsoft Online Directory Sync\DirSyncConfigShell.psc1
And run the following command to start a full resync:
So after a quick chat with the support in a service request we decided to stop dirsync and remove the account from the Office 365 tenant manually and then do a full resync.
So to disable dirsync follow these steps from http://support.microsoft.com/kb/2619062
- Install the local Windows PowerShell cmdlets. To do this, visit the following Microsoft website:Use Windows PowerShell to manage Office 365
- Start the Microsoft Office Online Services Module for Windows PowerShell.
- Disable directory synchronization. To do this, type the following cmdlet, and then press Enter:Set-MsolDirSyncEnabled -EnableDirSync $false
- Verify that directory synchronization is fully disabled by using Windows PowerShell. To do this, run the following cmdlet periodically:(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
This command will return True or False. Continue to run this cmdlet periodically until it returns False, and then go to step 5.
Note It may take 72 hours for the deactivation to be completed. The actual time depends on the number of objects that are in your Office 365 subscription account.
- Try to update an object to verify that you can delete the object.
- Delete the object by using Windows PowerShell or by using the Office 365 portal. To view the cmdlet documentation, visit the following Microsoft website:Windows PowerShell cmdlets for Office 365 (http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125002.aspx)
- To re-enable directory synchronization, run the following cmdlet:Set-MsolDirSyncEnabled -EnableDirSync $true
But I actually had some troubles with step 7.So I had to enable dirsync manually from the admin portal and wait for some time and after that all was fine again.
When I deactivated dirsync I was able to run the following command on the user that was in the domain.onmicrosoft.com:
Set-MsolUserPrincipalName -UserPrincipalName PIZ01@domain.onmicrosoft.com -NewUserPrincipalName email@example.com
And that command changed the upn on the first user.
But I when I tried on a user that was in a ADFS federated domain I was not able to run the same command on her account? So what I did was to simply delete it and when I later turned Dirsync back on it was synced back up as a “new” account and all is now back to normal operations again.
Just a reminder to myself, if you just want to change the UPN name, you always have to go via the onmicrosoft.com domain first, you cant just change from one Federated domain to the other. So try to remember this next time ok…