Default checks when implementing Hybrid Identity, Part 2: Orphaned UPN Suffixes

Reading Time: 5 minutes

Microsoft has introduced an impressive array of technologies and an awesome vision on Hybrid Identity:

Hybrid Identity

Their vision entails seamless access to corporate resources, services and applications for people, no matter where these resources, services and apps are located (either on-premises or in the cloud) while in the mean time allowing for strong authentication and granular authorization.

While Microsofts Azure Active Directory Hybrid Identity Design Considerations document details a lot of pitfalls you might want to avoid while implementing Microsofts Hybrid Identity technologies in the areas of process and architecture, my projects, on the other hand, have shown technical customer configurations beyond belief.

In this series I’ll detail these configurations, how they ruin Hybrid Identity dreams and how to fix them.

Today, let’s discuss Orphaned UPN Suffixes and DNS Domain mismatches.

This is a scenario that I encountered at a customer with roughly 140 DNS domain names and 70 DNS domain names registered as federated domains in Azure Active Directory. One of the things I noticed, is that it is pretty hard to find UPN Suffixes and manage them adequately, resulting in the below type of misconfiguration.


Domains in Azure Active Directory

Admins in Azure Active Directory can define domains. This way, they can claim their publicly routable DNS domain names and append them as suffixes to online-only account userPrincipalNames. Effectively, they are UPN Suffixes.

Publicly routable in the context of Hybrid Identity means it needs to have a top-level domain part that is on the list of Internet top-level domains. It is a big plus when this is a domain that is actually registered and owned by your organization.

For the above to work, DNS domains need to be validated through DNS. MX records and TXT records with specific values can both be used to this purpose and Microsoft offers assistance for all large domain name registrars.

Domains in Azure Active Directory can be three types:

  1. Unverified
  2. Managed
  3. Federated

A domain in Azure AD can be converted from a managed domain to a federated domain using the Convert-MsolDomainToFederated Windows PowerShell Cmdlet in the Azure Active Directory PowerShell Module. Convert-MsolDomainToStandard can be used to convert an Azure Active Directory domain the other way around.

UPN Suffixes in Windows Server Active Directory

In on-premises Windows Server Active Directory Domain Services implementations, admins can also define domains, either as part of an existing forest, or as part of a new forest. Per forest, userPrincipalName Suffixes can be added to the UPN Suffix list, which by default, contains the DNS domain name of the domain itself.

UPN Suffixes in on-premises Windows Server Active Directory Domain Services do not need to be publicly routable. Only if you intend to use them with federation and/or Hybrid Identity they need to be.

UPN Suffixes can be added using the Active Directory Domains and Trusts snap-in (domain.msc). Perform these steps:

  1. Right-click Active Directory Domains and Trusts in the Tree window pane, and then select Properties from the context menu.
  2. On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the Active Directory forest.
  3. Click Add, and then click OK.

Using UPN Suffixes for Federation or Integration

When you want to use UPN Suffixes in Microsofts Hybrid Identity vision, you’ll need to add at least one publicly routable UPN Suffix to your on-premises Windows Server Active Directory Domain Services implementation. Then, the user accounts used by people in your organization need to be configured with a userPrincipalName of which the domain part is the publicly routable UPN Suffix.

The entire story above results in the situation depicted below:

UPNs and Domains

The DNS Domain verified for Azure Active Directory corresponds to the UPN Suffix for the Windows Server Active Directory Forest, and user objects in it have the UPN Suffix applied.

Configuring Alternate Login ID negates the requirement for having a publicly routable UPN Suffix, but will result in certain scenarios of the Hybrid Identity vision being unavailable.


The problem

One of the problems you might encounter, especially in migration scenarios, is that you can remove UPN Suffixes using Active Directory Domains and Trusts (domain.msc), but this will not remove or reset the UPN Suffix in the userPrincipalName for the user accounts configured with them.

This may result in what I call an orphaned UPN Suffix configured for user accounts.

In migration, merger, acquisition and/or divestiture scenarios, this might pose a problem. For instance, when you first implement Hybrid Identity, you would configure Azure Active Directory domains for each publicly routable UPN Suffix in Windows Server Active Directory, based on the UPN Suffixes for the Windows Server Active Directory Forest.

Then, on the Monday after the implementation, a lot of people might not be able to enjoy the benefits of Hybrid Identity, because a lot of user objects might have orphaned UPN Suffixes…


Fixing it

Together with a little help from Ben Gelens and Mark Scholman, colleagues at INOVATIV, and some invaluable help from Jeff Wouters, I created a script that enumerates the UPN Suffixes in your  Windows Server Active Directory environment and Azure AD DNS Domains. Then, it’ll go through the user objects and detect:

  • Orphaned UPN Suffixes
    Orphaned UPN Suffixes used for user accounts that are no longer in the UPN Suffix list for the on-premises Windows Server Active Directory Forest.
    Unused UPN Suffixes
    Unused UPN Suffixes are listed in the list of available UPN Suffixes for the on-premises Windows Server Active Directory Forest, but are not used with any user object.
  • Onlogically Federated Domains
    Azure AD Domains that use federated authentication, but that have no UPN Suffix configured for the on-premises Windows Server Active Directory Forest.
  • Federatable Domains
  • UPN Suffixes configured for the on-premises Windows Server Active Directory Forest, but that are not configured as Azure AD Domains that use federated authentication.

The script is below. It can be run on any domain-joined device running Windows 8 or up and Windows Server 2012 or up, with both the Active Directory and Azure Active Directory PowerShell Modules installed:


Import-Module ActiveDirectory
Import-Module MSOnline

#Ask for credentials to connect to Azure Active Directory
Connect-MsolService -Credential $cred

#Get the Azure DNS Domains and on-premises UPN Suffixes
$AzureADDomains = (Get-MSOLDomain –Authentication Federated) | Select –ExpandProperty Name
$UPNSuffixesInUse = (Get-ADUser -filter * ).userprincipalname | foreach {
($_ -split '@')[1]
} | Sort-Object -Unique
$DefaultUPNSuffix = Get-ADForest | Select –ExpandProperty Name
$AddedUPNSuffixes = Get-ADForest | Select –ExpandProperty UPNSuffixes

#Add optionally added UPN Suffixes to the list of UPN Suffixes
if ($AddedUPNSuffixes.count -gt 0) {
$ADUPNSuffixes = @($DefaultUPNSuffix)+@($AddedUPNSuffixes)}
else {
$ADUPNSuffixes = $DefaultUPNSuffix

#Check for missing on-premises UPN Suffixes
ForEach ($m in $AzureADDomains) {
if ($ADUPNSuffixes -notcontains $m) {
"Azure AD Federated Domain $m is not configured as a UPN Suffix."

#Check for missing Azure DNS Domains
ForEach ($f in $ADUPNSuffixes) {
if ($AzureADDomains -notcontains $f) {
"UPN Suffix $f may be added to the Azure AD Federated Domains."

#Check for on-premises UPN Suffixes that are not assigned to users
ForEach ($o in $ADUPNSuffixes) {
if ($UPNSuffixesInUse -notcontains $o) {
"UPN Suffix $o is not assigned to any user object."

#Check for orphaned UPN Suffixes on-premises
ForEach ($u in $UPNSuffixesinUse) {
if ($ADUPNSuffixes -notcontains $u) {
"UPN Suffix $u is an orphaned UPN Suffix."


You can download the Windows PowerShell script here.



Equipped with the information from the script you know the exceptions to the list of UPN Suffixes for the Windows Server Active Directory Forest. You can be conclusive of the DNS Domains to register and federate and set priorities in your migration and/or implementation process accordingly.

Further reading

Azure AD domains
Configuring Alternate Login ID
Finding UPN suffixes

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.