Remediating the UPN suffix
Figure 3-17 Setting the default UPN suffix when creating a user in ADUC.
It is not possible to change the default UPN suffix because it is associated with the AD
forest when the forest was first created. Therefore, you will need a way to properly set the UPN
suffix of all previous users to the correct default UPN suffix so that Directory Sync can
correctly create the Office 365 account. You will also need to select the correct UPN suffix for
new users at the time they are created. This can be done manually, as shown in Figure 3-16.
This can also be automated using several methods such as Windows PowerShell or through
Forefront Identity Manager (FIM). Automation is the preferred approach because it is easy
to forget to set the correct default UPN suffix for new users.
Windows PowerShell is also the method you will use to bulk set users’ default UPN, either
organization-wide or by OU.
The following Windows PowerShell script updates the UPN suffix of all users in a particular
#Script to update the UPN suffix
#Replace the fields indicated with <> with actual field names
import-module ActiveDirectory
Get-ADUser -SearchBase "ou=<OU Name>,dc=<domain name>,dc=<com or org or net>"
-SearchScope OneLevel -filter * |
ForEach-Object {
