Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5964: Sync failure when user account UPN changes to a different federated domain

App Access Service ,  

8 August,16 at 04:26 PM

Applies to: All versions of Centrify Identity Service with Office 365



Problem:

User failed to provision to Office 365 with the following unexpected error message in Centrify Sync Report:

Unable to update this object in Microsoft Online Services, because the attribute FederatedUser.UserPrincipalName is not valid. Update the value in your local Active Directory


Cause:

Office 365 does not allow changing the federated domain suffix of a user to a different federated domain suffix.

One scenario is: this user has already been synced to office 365 before and then the user’s UPN is now changed to a different federate domain suffix. After running a sync on that user, the above error message displays in Centrify sync report.


Workaround:

1. Install and run Windows Azure Active Directory Module for Windows PowerShell as administrator.

2. Run the following command, pressing Enter after each command:

      Connect-MsolService

(Enter Office 365 admin credentials when prompted)

3. Run the command below to change the user's UPN to e.g. username@yourcompany.onmicrosoft.com:

      Set-MsolUserPrincipalName -UserPrincipalName [ExistingUPN] -NewUserPrincipalName [DefaultDomainUPN]

- Replace [ExistingUPN] with the actual UPN that user currently is having in Office 365 (which can be found by searching user name in Office 365 admin portal, e.g. alias@domainsuffix.com.)
- Replace [DefaultDomainUPN] with the UPN in the format of  username@yourcompany.onmicrosoft.com, e.g. alias@acme.onmicrosoft.com.

4. Run the following command to set the user’s UPN to use the new federated domain:

      Set-MsolUserPrincipalName -UserPrincipalName [DefaultDomainUPN] -NewUserPrincipalName [NewUPN]

- Replace [DefaultDomainUPN] with the UPN in the format of  username@yourcompany.onmicrosoft.com, e.g. alias@acme.onmicrosoft.com.
- Replace [NewUPN] with the UPN that uses the new federated domain.

5. Login to Centrify Cloud Manager. Either:

i. locate and right-click on this affected user and select “Sync All Apps” to sync this user again.

OR

ii. run a full sync in Settings > Provisioning > select the Office 365 app in the drop down list > Start Sync.

6. After sync, check the sync report to verify the user has been provisioned without error.

For further info, see Microsoft KB regarding this issue: https://support.microsoft.com/en-us/kb/2669550(Link provided as a courtesy)


For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6041: How to show current license type in use by adclient articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3925: How to add Centrify parameter to a group policy articleKB-4899: How to delete an "orphaned" synced account from Office 365 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?