Changes aren't synced to Windows Azure AD after you change the UPN of an on-premises user account to use a different SSO-enabled domain suffix

You update the user principal name (UPN) of an on-premises Active Directory Domain Services (AD DS) user account to use a different single sign-on (SSO)-enabled domain suffix. However, directory synchronization doesn't propagate the change from one federated domain directly to another federated domain for a user ID in Microsoft Office 365.

When the user object is being synced to Microsoft cloud services, you receive the following error message in the synchronization error report:

This problem occurs because you can't use Office 365 tools in a single step to change the UPN suffix of a user ID from one SSO-enabled domain suffix to another SSO-enabled domain suffix.

To work around this problem, use one of the following methods.

Method 1

On a client computer that has the Windows Azure Active Directory Module for Windows PowerShell installed, follow these steps:

1. Click Start, point to All Programs, click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
2. Run the following commands, and press Enter after each command:

   1. connect-MSOLService

      Note When you're prompted, enter non-federated Office 365 global administrator credentials.

   2. Set-MsolUserPrincipalName -UserPrincipalName [ExistingUPN] -NewUserPrincipalName [DefaultDomainUPN]

      Note In this command, [ExistingUPN] represents the current UPN of the user ID, and [DefaultDomainUPN] represents the UPN of the user ID that has the domain suffix changed to the default domain.
      
      For example, a Contoso administrator might use the following command:

      Set-MsolUserPrincipalName -UserPrincipalName user1@constoso.com -NewUserPrincipalName user1@contoso.onmicrosoft.com

3. Exit the Windows Azure Active Directory Module for Windows PowerShell.
4. Open the Windows Azure Active Directory Module for Windows PowerShell again. Then, run the following commands, and press Enter after each command:

   1. connect-MSOLService

   2. Set-MsolUserPrincipalName -UserPrincipalName [DefaultDomainUPN] -NewUserPrincipalName [NewUPN]

      Note In this command, [DefaultDomainUPN] represents the UPN of the user ID after you run the command in step 2b, and [NewUPN] is the target UPN to which you are trying to migrate the user ID.

Method 2

1. On a domain controller, follow these steps:
   1. Add your initial domain as an UPN suffix in the on-premises AD DS user account.
   2. Change the user's UPN suffix from your domain to the initial domain.
   3. At the command prompt, run the following command to sync all domain controllers:

      repadmin /syncall /a /p /e /d

2. Force directory synchronization to sync the changes to Windows Azure Actvie Directory (Windows Azure AD). For more info about how to do this, see Force directory synchronization.
3. Confirm that the user name is changed in Office 365.
4. On the domain controller, change the UPN suffix of the user to use the other federated domain.
5. Force directory synchronization to sync the changes to Windows Azure AD. For more info about how do do this, see Force directory synchronization.
6. Verify that the user name changed in Office 365.

For more information, go to the following Microsoft Knowledge Base articles:

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.