MSEndpointMgr
missing onmicrosoft.com default domain
Home » Identity » Fix missing onmicrosoft.com default domain

Fix missing onmicrosoft.com default domain

Ever found your self in a messed up Hybrid Exchange environment, and some or all of your synced identities are missing onmicrosoft.com default domain?

It should be easy to fix, no?

Well it is… but if you google it, you will find suggestions like deleting the users or removing them from them from sync, then making the cloud only. And then hard or soft matching them again after they have received the domain.onmicrosoft.com alias back. That seems like a terrible waste of time if you ask me.

No, you can’t just add that domain on-premise to the proxyAddress field and be over with it – domain.onmicrosoft.com is not synced as an alias.

The quick(ish) fix

You don’t need to delete the user or anything fancy like that – here are the steps to fix it in production.

Add the UPN Suffix to your domain

In order for this fix to work, we need to add the tenant default domain as a UPN Suffix to our on-prem active directory. This is a simple one-time thing.

Open up “Active Directory Domains and Trusts” and follow the steps in the screenshot:

adding the missing onmicrosoft.com default domain
  1. Right-click and elect the properties of “Active directory domains and trusts” in the MMC
  2. Type in your default tenant domain (e.g. mytenant.onmicrosoft.com)
  3. Click “Add”
  4. Click “OK”

Now we can do some magic on the user-account…

Change the users UPN

Now the trick is to change the users logon name to match that of the default tenant domain, because unlike the e-mail alias (proxyAddress), the logon name will actually sync a change if using the default tenant domain.

So crack open you “Active Directory Users and Computers” MMC, and lets follow login with the screenshot:

using the missing onmicrosoft.com default domain as login name
  1. Find the user with issues and go to the “Account” tab.
  2. From the User logon name domain name dropdown, note the current selection and then select the newly added UPN suffix (i.e. my tenant.onmicrosoft.com)
  3. Click “OK”

Now, that you have to do is either wait or force a sync with Azure AD Connect. Forcing it will obviously be faster.

After sync has completed, you should verify that the user login has actually chain in Azure AD or the M365 Admin portal. And at the same time, you can verify that the default domain e-mail alias is now in place as it should be.

Put it all back as it was

After you have confirmed that the cloud users has received the changes from on-prem, you simply need to put back the original domain from step 2 in the screenshot above. Then again wait for sync or force it.

If you wish to get rid of the UPN Suffix, you can do that at this point, it is no longer needed.

Final words

One could wish for a “fix it” button in Exchange online or the M365 portal to take care of this little bug, but I hope I have at least saved you some time by sharing this wacky workaround. Of course all of this can be scriptet if you have hundreds or thousands of users in this state.

And before you ask why even need this domain? Then think about the fact that it is default. And you never really know what 3rd party program or script is expecting to find that specific e-mail Alias on an account.

As always I hope you will add your comments below and follow on twitter to show your support.

(1692)

Michael Mardahl

Michael works as a Microsoft Certified Cloud Architect with APENTO in Denmark. He specializes in customer journeys from classic Infrastructure to Cloud consumption with a strong focus on security. And has been working in the IT industry for more than 20 years, where he started as a Network Administrator in the logistics industry. He has gained experience through a broad range of IT projects throughout the years and was very early to embrace and share his cloud technology passion. When not at work, Michael enjoys the value of spending time with family and friends and BLOG's passionately about Microsoft cloud technology whenever he has time to spare - this has earned him the title of Microsoft Most Valuable Professional (MVP) in the Enterprise Mobility category.

2 comments

  • Hey Michael,
    why do we even add the suffix and then remove it?
    “If you wish to get rid of the UPN Suffix, you can do that at this point, it is no longer needed.”

    I saw a lot of confusion here and I would suggest a simple step: open Attribute editor and change UPN. One step.
    Or Set-ADUser -UserPrincipalName $newUpn.
    One step.
    That’s the thing I always like to ask people, could I put @gmail.com UPN, will it works if I do not set it up in the UPN suffixes window? Lots of people get confused till they see the result.

    Cheers, Dmitrii

    • Hi Dimitrii,

      It can be done many ways, so thank you for adding your view.

      When doing a blog on technical things, I must try and consider not to add too much information. So I chose this way with the GUI that is straightforward – but perhaps not the fastest method though.

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.