Alternative UPN for use with Azure AD Sync


  • Hi There,

    Our business has bought Office 365 Proplus licences. We are new to O365 Proplus and I am have been given the task to implement it. I want to go the synchronised identity route (not Cloud ID or ADFS) to sync our AD users and their passwords but I am not sure of the ramifications of adding an additional UPN to our network. I will use dummy names for my situation below.

    We have a non-routable domain as our TLD (top level domain) which is "Company.local". Our email addresses use "".  I read that Office 365, to synchronise using Azure AD Connect, requires a routable TLD e.g. .com, .org, .net for it to work. This is the tricky part, we have a seperate, non trusted domain called "". I can add the UPN suffix to my AD domain and trusts "" and then change the users upn suffix, but i do not want it to interfere with the other company network.

    There must be firms out there who use .local and have the .com being used elsewhere in the same company but do not want any crossover issues. DNS etc.

    Any advice would be helpful. 



    Tuesday, April 11, 2017 12:23 PM


  • Since you already have another domain named "" the steps you have listed above will not work. You cannot add a UPN suffix to a domain and then add a trust. AD wouldn't know to which forest the sign-in request should be redirected to.

    Instead, I hope you have the email attribute populated with the sign-in information you want in Azure AD. Then during installation, change the UPN attribute to be the mail attribute instead:
    Your users will now sign in to Azure AD with their email address and the password they use in company.local.

    That would avoid any changes to DNS or other on-prem changes. The forest/domain wouldn't be involved and there is no other impact on your on-prem environment.

    Thursday, May 4, 2017 8:14 AM

All replies