Ever found your self in a messed up Hybrid Exchange environment, and some or all of your synced identities are missing onmicrosoft.com default domain?
It should be easy to fix, no?
Well it is… but if you google it, you will find suggestions like deleting the users or removing them from them from sync, then making the cloud only. And then hard or soft matching them again after they have received the domain.onmicrosoft.com alias back. That seems like a terrible waste of time if you ask me.
No, you can’t just add that domain on-premise to the proxyAddress field and be over with it – domain.onmicrosoft.com is not synced as an alias.
The quick(ish) fix
You don’t need to delete the user or anything fancy like that – here are the steps to fix it in production.
Add the UPN Suffix to your domain
In order for this fix to work, we need to add the tenant default domain as a UPN Suffix to our on-prem active directory. This is a simple one-time thing.
Open up “Active Directory Domains and Trusts” and follow the steps in the screenshot:
- Right-click and elect the properties of “Active directory domains and trusts” in the MMC
- Type in your default tenant domain (e.g. mytenant.onmicrosoft.com)
- Click “Add”
- Click “OK”
Now we can do some magic on the user-account…
Change the users UPN
Now the trick is to change the users logon name to match that of the default tenant domain, because unlike the e-mail alias (proxyAddress), the logon name will actually sync a change if using the default tenant domain.
So crack open you “Active Directory Users and Computers” MMC, and lets follow login with the screenshot:
- Find the user with issues and go to the “Account” tab.
- From the User logon name domain name dropdown, note the current selection and then select the newly added UPN suffix (i.e. my tenant.onmicrosoft.com)
- Click “OK”
Now, that you have to do is either wait or force a sync with Azure AD Connect. Forcing it will obviously be faster.
After sync has completed, you should verify that the user login has actually chain in Azure AD or the M365 Admin portal. And at the same time, you can verify that the default domain e-mail alias is now in place as it should be.
Put it all back as it was
After you have confirmed that the cloud users has received the changes from on-prem, you simply need to put back the original domain from step 2 in the screenshot above. Then again wait for sync or force it.
If you wish to get rid of the UPN Suffix, you can do that at this point, it is no longer needed.
One could wish for a “fix it” button in Exchange online or the M365 portal to take care of this little bug, but I hope I have at least saved you some time by sharing this wacky workaround. Of course all of this can be scriptet if you have hundreds or thousands of users in this state.
And before you ask why even need this domain? Then think about the fact that it is default. And you never really know what 3rd party program or script is expecting to find that specific e-mail Alias on an account.
As always I hope you will add your comments below and follow on twitter to show your support.