What will happen if you give different UPN suffix for a user other than federated domain and try to sync that user in Azure AD.
Asked
Active
Viewed 314 times
1 Answers
0
I would like to confirm that end user's sign-in experience might be different considering configuration you have for AD Connect.
Let's take following configuration as an example and share 2 possible scenarios with you:
You have 3 domains on local AD out of which 2 are verified on Azure AD.
- domain.local - Non-Routable local domain.
- abc.com Sync'd - Federated with AzureAD.
- xyz.com Sync'd - Managed and verified on AzureAD.
Scenario 1: Optional Features like PHS is not Enabled.
- Lets say if you sync user1@xyz.com from on-prem to Azure AD. User would be created on Azure AD with UPN user1@xyz.com, however user would not be able to login to any Office Service or Azure AD Application with error Incorrect Username or Password.
- Lets say if you sync user3@domain.local from on-prem to Azure AD. User would be created on Azure AD UPN user2@.onmicrosoft.com, however user would not be able to login to any Office Service or Azure AD Application with error Incorrect Username or Password.
Scenario 2: Optional Features like PHS is not Enabled.
- Lets say if you sync user3@xyz.com from on-prem to Azure AD. User would be created on Azure AD with UPN user1@xyz.com, User would be able to login with on-prem username and password on any Office 365 service or Azure AD Application
- Lets say if you sync user3@domain.local from on-prem to Azure AD. User would be created on Azure AD UPN user2@.onmicrosoft.com, User would be able to login with on-prem username and password on any Office 365 service or Azure AD Application.
The only difference in scenario 1 and 2 is usage of Password Hash Sync feature. If password hash sync is enabled, On-Prem user's password hash is sync'd to Azure AD and hence user would be able to Sign-In to Office Service or any Azure AD Application.
-
Scenario 2 should be for enabled PHS – Mango Wong Jul 17 '23 at 06:30