A User Principal Name (UPN) is an attribute that is an internet communication standard for user accounts. A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). The prefix joins the suffix using the “@” symbol.

The attribute userPrincipalName is the attribute that users use when they sign in to Azure AD and Microsoft 365. You should verify the domains that are used in Azure AD before the users are synchronized.

If your internal AD DS only uses a non-routable domain (e.g., jorgebernhardt.local), this can’t possibly match the verified domain you have on Microsoft 365. You can fix this issue by either changing your primary domain in your on-premises AD DS or adding one or more UPN suffixes.

In this post, I want to show you how to change the UPN of domain users in Active Directory using the graphical user interface (GUI) and Windows PowerShell.

GUI Workaround

To add a UPN suffix to the on-premises Active Directory using the Active Directory Domains and Trusts snap-in, you should perform the following steps.

  1.  Open the Active Directory Domain and Trust snap-in or run domain.msc.
  2.  In the left pane, you should right-click on the Active Directory Domain and Trust and select Properties.
  3.  Under alternative UPN suffixes, type the name of the suffix you want to add.
  4.  Click add and then click OK.

UPN Suffix

Once the UPN suffix has been added, you can assign the UPN suffix to the user account. To do this, you should perform the following steps.

  1. Open Active Directory Users and Computers snap-in or run dsa.msc.
  2. Locate the user and Right-click on the user account.
  3. Click on Properties and navigate to the Account tab.
  4. Select the required UPN Suffix and click OK.

UPN Sufix

PowerShell Workaround

if you want to use PowerShell, you should use the ActiveDirectory Module and perform the following steps. If you want to know how to install the PowerShell Active Directory Module, check out this link.

To add a UPN suffix to the on-premises Active Directory using PowerShell, you should use the SetADForest cmdlet with the following syntax.

Once the above command has been executed, you can check that the UPN Suffix has been added correctly using the GetADForest cmdlet.


Finally, you can use the following script to reset the UPNs of multiple user accounts.

Thanks for reading my post. I hope you find it useful.

For more information about user provisioning and synchronization, check out this: https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/use-upn-matching-identity-sync