In Office 365, you might stumble upon a problem where users' UPN suffixes are still in the domain.onmicrosoft.com format instead of your domain's suffixes (e.g. After you register the new suffix, you update the user UPNs to replace the .local with the new domain name for example so that a user account looks like billa@contoso.com.After you have updated the UPNs to use the verified domain, you are ready to synchronize your on-premises AD DS with Microsoft 365.On the AD DS domain controller, in the Server Manager choose On the AD DS domain controller, in the Server Manager choose If you have a lot of users to update, it is easier to use Windows PowerShell. However, any UPN that contains an non-routable domain, for example .local (like billa@contoso.local), will be synchronized to an .onmicrosoft.com domain (like billa@contoso.onmicrosoft.com).If you currently use a .local domain for your user accounts in Active Directory Domain Services (AD DS) it's recommended that you change them to use a verified domain (like billa@contoso.com) in order to properly sync with your Microsoft 365 domain.The most recent tool you can use for synchronizing your AD DS to Azure AD is named Azure AD Connect. Open Active Directory Domains and Trusts. my-company.com). Invalid characters will cause directory synchronization to fail.Directory synchronization will also fail if some of your AD DS users have one or more duplicate attributes. In other words, the domain has to be a valid Internet domain (for example, .com, .org, .net, .us, etc.). 5 ADFS 3.0 install Directory Sync tool - pt. Add a UPN suffix If duplicate or unwanted addresses exist, see the Help topic Active Directory is designed to allow the end users in your organization to sign in to your directory by using either In Microsoft 365, the UPN is the default attribute that's used to generate the email address.
With the UPN suffix added, verify the respective users that need to logon using the new UPN have this set for their Active Directory user account. Add UPN suffixes and update your users to them. For more information, see Azure AD Connect synchronizes your users' UPN and password so that users can sign in with the same credentials they use on-premises. Unexpected characters do not cause directory synchronization to fail but might return a warning. I understand that I need to change it from company.local to mycompany.com. It might take days, or even weeks, to go through the cycle of directory synchronization, identifying errors, and re-synchronization.In your AD DS, complete the following clean-up tasks for each user account that will be assigned a Microsoft 365 license:If possible, ensure a valid and unique value for the For optimal use of the global address list (GAL), ensure the information in the following attributes of the AD DS user account is correct:Successful directory synchronization between your AD DS and Microsoft 365 requires that your AD DS attributes are properly prepared. Now we can add the new domain to the tenant in the Office 365 Portal. For instructions, see You can solve the .local problem by registering new UPN suffix or suffixes in AD DS to match the domain (or domains) you verified in Microsoft 365. The UPN suffix is used only within the Active Directory forest, and it is not required to be a valid DNS domain name.” Adding a UPN Suffix to a Forest . If your internal AD DS only uses a non-routable domain (for example, .local), this can't possibly match the verified domain you have on Microsoft 365. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.For more information on how to add an alternative UPN suffix to Active Directory, see If you've already set up directory synchronization, the user's UPN for Microsoft 365 may not match the user's AD DS UPN that's defined in your AD DS. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters. You can solve the .local problem by registering new UPN suffix or suffixes in AD DS to match the domain (or domains) you verified in Microsoft 365. For practical reasons, it is possible to add a suffix that corresponds, for example, to the company’s email domain, which allows users to identify themselves with their email address.