Azure UPN Change

This week's moment is brought to you by an organizational reorg, a group initiative to centralize certain aspects of IT, and the letters WTF. One of these aspects required my little branch of the organization to give up its Azure UPN suffix and hand it over to the mothership.

Before we get into the hows, lets go over some configs.  First off, we are not using Exchange Online. If your email is in the cloud and is linked to via the AD Connector to Azure, then this won't work for you as part of the process is to remove all the users' email addresses.  Also in my environment, we were using the mail attribute in AD as the Azure UPN.  We were not using the userPrincipalName attribute.  If you are using this attribute then you should still be able to follow these steps....roughly.  By that, I mean either follow them exactly which will end up with you using a different attribute to sync the UPN to Azure or follow it roughly and add a different UPN suffix to your domain using AD domains and trusts and modify all the users in AD to use this new UPN.

I am also assuming you know your way around Azure for the most part.  If there is anything on the list that doesn't make sense feel free to comment and I will see about doing a blog post to cover it in more detail.

Now that all that is out the way let's begin.
  • Work out what your new UPN will be.  Add this domain to Azure as a custom domain.
  • Use the following script to add the new UPN value to the new attribute you are going to use. Note the reason I had to use a new attribute is to modify the mail attribute changes as to how the user is displayed through Outlook.  If you are OK with the new UPN also being how the user is displayed in Outlook then you can skip this and just modify the mail attribute directly.
###########Script to add UPN Value###########

$users = Get-ADUser -filter * -SearchBase "DN of OU containting users" -Properties mail
foreach($user in $users){
if ($user.mail -ne $null){
    $mail = $user.mail
    $newattrib = $mail -replace "@OldDomain","@NewDomain"
    $extattrib = @{ExtensionAttribute1=$newattrib}
    Set-ADObject -Identity $user.DistinguishedName -Replace $extattrib
    }
}
###########End Script###########
  • Wait for AD to replicate.
  • Sync the additional attribute to Azure
    • Go to your AD Connector server. Launch the Synchronization Service console and run a full import on your domain connector.
    • Run a delta import on your domain connector
    • Run a delta import on your azure connector.
    • Run a delta synchronization on your domain connector.
    • Run a delta synchronization on your azure connector.
    • Run an export on your azure connector.
    • Run an export on your domain connector.
  • Modify the Attribute mappings to point the UPN to the new attribute(ExtensionAttribute1)
    • On the AD connector server launch the Synchronization Rules Editors console.
    • Select Inbound
    • Edit the rule called "In from AD - User AccountEnabled".
    • Select Transformations
    • Find the Target attribute of userPrincipalName.
    • Modify the source column to match the following new value:
Old Value - 
IIF(IsPresent([mail]),[mail], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))

New Value - 
IIF(IsPresent([extensionAttribute1]),[extensionAttribute1], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))

    • Save the changes and close the console.
  • Sync the UPN change to Azure
    • Go to your AD Connector server. Launch the Synchronization Service console
    • Run a full import on your domain connector.
    • Run a delta import on your azure connector.
    • Run a full synchronization on your domain connector.
    • Run a delta synchronization on your azure connector.
    • Run an export on your azure connector.
    • Run an export on your domain connector.
  • Confirm the new UPN has synchronized.
    • Launch the Windows Azure Active Directory Module for Powershell.
    • Connect to your azure service.
    • run Get-MsolUser -UserPrincipalName "UPN of a user".  This should return a user.  If not the change has not been pushed to Azure.
  • Configure ADFS to support the new domain
    • Launch the AD FS Management console.
    • Delete ADFS\Trust Relationships\Relying Party Trusts\Microsoft Office 365 Identity Platform
    • From the Windows Azure Active Directory Module for Powershell run:
      • Set-MsolADFSContext –Computer NameOfADFSServer
      • Update-MsolFederatedDomain -DomainName OldDomain -SupportMulitpleDomain
      • Convert-MsolDomainToFederated -DomainName NewDomain -SupportMultipleDomain
    • From a Powershell on the ADFS server run the following command
      • Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID ExtensionAttribute1
  • From the AD FS Management console modify the 1st claim rule
    • From the console go to ADFS\Trust Relationships\Relying Party Trusts
    • Select Microsoft Office 365 Identity Platform and click "Edit Claim Rules"
    • Select the 1st claim rule and click "Edit Rule"
    • Modify the rule to match the New rule below.
Old Rule - 
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

New Rule - 
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};extensionAttribute1,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
    • Restart the Active Directory Federation Services service.
  • Check for remaining objects still connected to the old domain using the Windows Azure Active Directory Module for Powershell.
    • Get-MsolUser -All | where {$_.userPrincipalName -like "*@OldDomain"} 
    • Get-MsolUser -All | where {$_.proxyAddresses -like "*@OldDomain"} 
    • Get-MsolUser -All | where {$_.mail -like "*@OldDomain"} 
    • Get-MsolUser-All | where {$_.targetAddress -like "*@OldDomain"} 
    • Get-MsolGroup -All | where {$_.proxyAddresses -like "*@OldDomain"} 
    • Get-MsolGroup -All | where {$_.mail -like "*@OldDomain"} 
    • Get-MsolGroup -All | where {$_.targetAddress -like "*@OldDomain"}
Each of the above should return nothing.  If results are returned, they will need to be fixed before the old domain can be removed.  For the userPrincipalName, I found that I still had disabled accounts that were in the users OU.  I moved them to an OU that wasn't sync'd with Azure and these went away.

Proxy Addresses are a little more complicated.  To fix those you have to remove the email addresses of each user.  This is why I mentioned above that this is not something you want to do if using Exchange Online.  I found the easiest way to take care of this was to modify the following Outbound rules in the Synchronization Rules Editor.
  • Out to AAD – User Identity
  • Out to AAD – User Exchange Online
  • Out to AAD – User Intune
  • Out to AAD – User Lync Online
  • Out to AAD – User SharepointOnline
  • Out to AAD – User AzureRMS
  • Out to AAD – Group Identity
  • Out to AAD – Group ExchangeOnline
  • Out to AAD – Group Intune
  • Out to AAD – Group LyncOnline
For each rule find the proxyAddresses in the Target Attribute column.  Modify the Source column to point to something else containing an email address of some kind.  For my usage I picked the same attribute as I was using as the UPN, extenstionAttribute1.  Once this is done, allow it to sync up to Azure and use the above commands again to make sure nothing is left.

Once all the above commands return nothing you can remove the old domain.
  • Launch Windows Azure Active Directory Module for Powershell and run the following:
    • Remove-MsolFederatedDomain -DomainName OldDomain -SupportMultipleDomain
As with anything you find on the Internet do this at your own risk.  The above worked for me but won't necessarily work for you...so use with caution.

Comments

Post a Comment

Popular posts from this blog

Local Administrator Password Solution(LAPS)

Image
We have all come across it.  It's a problem as old as the computer itself.  Ever since those first few engineers sat around the PC and said, "Hey Frank, I can'y log in.  What's the password?"  I am of course talking about local admin passwords.  For what ever reason your local admin password will eventually leak out and when it does, it spreads quicker than rumors of free donuts in the break room. You may have combated this with a script that you run once a year that changes the local admin password.  The problem with this solution is that if a machine is turned off or remote then it won't get the script run against it.  You could put the script into a logon script but then your sticking a clear text version of the script onto your network somewhere. "Well, I just use GPO to deploy my passwords using Group Policy Preferences." I hear you say.  This I will agree was an excellent solution until https://technet.microsoft.com/en-us/library/se...
Read more

Error Connecting to Hyper-V Host

Image
Got yourself a Hyper-V host on a nice HP server and can't connect to it remotely from the Hyper-V manager?  You are not alone.  Assuming your error is something like the error below then I may be able to help. The WS-Management service cannot process the request.  The class Msvm_RegisteredProfile does not exist in the root/interop namespace. This has something to do with the HP tools messing with the registration of the MOF's.  All we need to do to fix it is register the MOF files.  To do this, open an administrative command prompt on the server and run the following command. MOFCOMP %SYSTEMROOT%\System32\WindowsVirtualization.V2.mof That will parse through the MOF file and register it on the system leaving you with the nice screenshot below. You should now be able to use your local Hyper-V console to connect to the server and manage away. As with anything you find on the Internet use this at your own risk.  Just because it...
Read more

MBAM Not BitLocking

Image
MBAM is installed,  group policies are set.  You install the MBAM client and nothing happens. First place to start is the Eventlog.  Open eventvwr.msc and browse through to ' Applications and Services Logs\Microsoft\Windows\MBAM' .  In my case I had 'TPM hardware is missing error' This was an easy one to sort out.  Just reboot, enter the BIOS and enable the TPM module.  Some manufacturers do offer tools to do this remotely so might be worth checking with your vendors on this one if you have a bunch of machines to do. Once the machine came back up it still wasn't encrypting the disk so back to the eventlog we go. This time I was presented with 'Unable to connect to the MBAM Recovery and Hardware service.  Access was denied by the remote endpoint.' For this one I started with checking access to the endpoint.  To do this open up regedit and browse to 'HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement' .  Copy...
Read more