Hey everyone,
Hope you're all hanging in there with everything that's been happening lately.
We're working on getting all our on-premises devices hybrid Azure AD joined, and for that to work smoothly, the user Principal Name (UPN) that people log in with on their computers needs to match their UPN in Microsoft 365.
I've added the new UPN suffix in the Domains and Trusts, and I managed to update a few users' UPNs manually. However, I'm looking to automate this for all users using PowerShell.
My main question is: what's the best way to get users to start using their new UPN for sign-in? Should I just send out an email saying, "Please log in with your new UPN at the Windows welcome screen"? Has anyone tried a different approach that worked out well?
Just for context:
* Our internal domain is: MicroInternal.com
* Our Microsoft 365 email domain is: MicroWorld.com
Would appreciate any ideas or suggestions. Thanks!
5 Answers
If your users aren't already logging in with their UPN (like if they don't need to enter their username at each sign-in), the switch might be seamless. If they do have to supply their UPN at the welcome screen, definitely let them know about the change in advance!
We did something similar a while back. Users were already logging in without needing to use their full UPN, and everything just worked out fine. If they’re logging in with just their username (like "userid"), changing the UPN shouldn’t cause any issues. Just make sure to test it with a few users first before rolling it out completely. Also, there’s a Microsoft article on preparing a non-routable domain that I recommend checking for the PowerShell script you might need.
If users are accustomed to using just their SAM Account Name (username without any domain), updating the UPN alone should suffice. We’ve changed ours, and it generally runs smoothly. Just be cautious with the Microsoft 365 part—some users might forget to update it if they’re migrating from .local. Our hybrid join process has improved over the years, so it’s more reliable now than before!
You might also consider updating your Group Policy to set a default login domain for computers. It could help simplify things for users. Just advise them to use their email as a login from now on—having one username across all platforms makes it easier for everyone. Of course, you might want to explain this clearly to avoid confusion!
If you go into Active Directory Users and Computers (ADUC), you can select all users in an OU, right-click and update the UPN in bulk under the account tab. It's a pretty straightforward way to handle large numbers of users at once!
Could you clarify what you mean by GPO default login domain? I want to ensure I understand it correctly.