Michael MardahlEver found your self in a messed up Hybrid Exchange environment, and some or all of your synced identities are missing something. maybe the onmicrosoft.com missing domain bug has infected your tenant? (No its not really a bug, and it does not infect you, but shit happens as they say…)
It should be easy to fix, no?
Well it is… but if you google it, you will find suggestions like deleting the users or removing them from them from sync, then making the cloud only. And then hard or soft matching them again after they have received the domain.onmicrosoft.com alias back. That seems like a terrible waste of time if you ask me.
No, you can’t just add that domain on-premise to the proxyAddress field and be over with it – domain.onmicrosoft.com is not synced as an alias.
The quick(ish) fix
You don’t need to delete the user or anything fancy like that to fix that onmicrosoft.com missing default domain – here are the steps to fix it in production.
Add the UPN Suffix to your domain
In order for this fix to work, we need to add the tenant default domain as a UPN Suffix to our on-prem active directory. This is a simple one-time thing.
Open up “Active Directory Domains and Trusts” and follow the steps in the screenshot:
- Right-click and select the properties of “Active directory domains and trusts” in the MMC
- Type in your default tenant domain (e.g. mytenant.onmicrosoft.com)
- Click “Add”
- Click “OK”
Now we can do some magic on the user-account…
Change the users UPN
Now the trick is to change the users logon name to match that of the default tenant domain, because unlike the e-mail alias (proxyAddress), the logon name will actually sync a change if using the default tenant domain.
So crack open you “Active Directory Users and Computers” MMC, and lets follow along with the screenshot:
- Find the user with issues and go to the “Account” tab.
- From the User logon name domain name dropdown, note the current selection and then select the newly added UPN suffix (i.e. my tenant.onmicrosoft.com)
- Click “OK”
Now, that you have to do is either wait or force a sync with Entra Connect sync. Forcing it will obviously be faster.
After sync has completed, you should verify that the user login has actually changed in Entra ID or the M365 Admin portal. And at the same time, you can verify that the default domain e-mail alias is now in place as it should be.
Put it all back as it was
After you have confirmed that the cloud users has received the changes from on-prem, you simply need to put back the original domain from step 2 in the screenshot above. Then again wait for sync or force it.
If you wish to get rid of the UPN Suffix in your local AD, you can do that at this point, it is no longer needed. Just do sort of the reverse of what we did in the first screenshot of this article.
Final words
One could wish for a “fix it” button in Exchange online or the M365 portal to take care of this little bug of the onmicrosoft.com missing in action. But ,I hope I have at least saved you some time by sharing this wacky workaround. Of course all of this can be scriptet if you have hundreds or thousands of users in this state.
And before you ask why even need this domain? Then think about the fact that it is default. And you never really know what 3rd party program or script is expecting to find that specific e-mail Alias on an account.
As always, I hope you find inspiration in this article. And I welcome any feedback in the comments or preferably a follow on Linkedin @michael-mardahl.
Ben Whitmore
Simon Skotheimsvik
Thank you! helped me out when my execs email was changed incorrectly after we moved to cloud and it wouldn’t populate an onmicrosoft address so he couldnt send with the new email.
Much appreciated
Unfortunately, this did not seem to work for me. I added the UPN, updated the user logon name to be the @domain.onmicrosoft.com, and did an AD sync. However, it doesn’t seem like anything changed on the cloud side. I was really hoping this fix would work, but so far the only success I had was the delete on-prem and convert to cloud only account to fix it.
Many different things can influence that sync configuration. Sorry to hear it did not work for you.
Converting to cloud only by means of deleting the on-prem account will break the hybrid configuration and is not supported unfortunately.
But I hope you will write here if you find out what the blocker was for you doing this. as I have done it with multiple tenants, where I did not have access to the Azure AD Connect sync service.
Hey Michael,
why do we even add the suffix and then remove it?
“If you wish to get rid of the UPN Suffix, you can do that at this point, it is no longer needed.”
I saw a lot of confusion here and I would suggest a simple step: open Attribute editor and change UPN. One step.
Or Set-ADUser -UserPrincipalName $newUpn.
One step.
That’s the thing I always like to ask people, could I put @gmail.com UPN, will it works if I do not set it up in the UPN suffixes window? Lots of people get confused till they see the result.
Cheers, Dmitrii
Hi Dimitrii,
It can be done many ways, so thank you for adding your view.
When doing a blog on technical things, I must try and consider not to add too much information. So I chose this way with the GUI that is straightforward – but perhaps not the fastest method though.