What is the recommended way to change the sync attribute from userPrincipalName
to mail
eg
You only get this option when you FIRST install AD connect
As far as I can tell, its disable sync, remove and re-install.
What is the recommended way to change the sync attribute from userPrincipalName
to mail
eg
You only get this option when you FIRST install AD connect
As far as I can tell, its disable sync, remove and re-install.
Actually, it's possible. You have to use Synchronization Rules Editor for that. Had a similar issue and had to solve it. I've written a blog post about it.
Basically, you need to find rules that contain UserPrincipalName (as on screens below)
And finally, you replace
IIF(IsPresent([userPrincipalName]),[userPrincipalName], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))
To:
IIF(IsPresent([mail]),[mail], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))
You change it in any rules that have those (should be 2 on default connectors). Obviously, it doesn't have to be mail. It can be anything that is unique enough for you.
As far as I can tell, its disable sync, remove and re-install.
Yes, you are in the configure page, you can select mail
to sign in.
In your scenario, you can use Remove-AzureADUser
to delete those users in Azure AD, then use this new Azure AD connect to sync them again, in this way, your users can use mail address to sign in.
Still the same in 2022, you need to install and reinstall.
However, you can simplify this by exporting the ADConnect configuration and use the exported config when reinstalling; this will save you a lot of work, especially if you customized the default settings.
But there's a catch: the source attribute for generating UPNs is written in the exported config, and you can't change it when importing. You'll need to change it manually in the config file.
To use on-premises UPN:
"identityMappingPolicy": {
[...]
"userPrincipalNameAttribute": "userPrincipalName",
[...]
},
To use on-premises e-mail address:
"identityMappingPolicy": {
[...]
"userPrincipalNameAttribute": "mail",
[...]
},