Azure AD Connect synchronizes your users' UPN and password so that users can sign in with the same credentials they use on-premises. In other words, the domain has to be a valid Internet domain such as,. If your internal AD DS only uses a non-routable domain for example, ". Change your primary domain to a domain you have verified in Microsoft , for example, contoso. Every user that has the domain contoso. This is a very involved process, however, and an easier solution is described in the following section.
You can solve the ". After you register the new suffix, you update the user UPNs to replace the ". Windows ran into a problem and needs to restart. You should close this message now and save your work". The device must be unjoined from Azure AD and restarted. After restart, the device will automatically join Azure AD again and the user must sign in using the new UPN by selecting the "Other user" tile.
To unjoin a device from Azure AD, run the following command at a command prompt:. The user will need to re-enroll for Windows Hello for Business if it's being used. Windows 7 and 8. Your organization might require the use of the Microsoft Authenticator app to sign in and access organizational applications and data. Although a username might appear in the app, the account isn't set up to function as a verification method until the user completes the registration process. The Microsoft Authenticator app has four main functions:.
Act as an Authentication Broker on iOS and Android devices to provide single sign-on for applications that use Brokered authentication. The Microsoft Authenticator app offers an out-of-band verification option. Instead of placing an automated phone call or SMS to the user during sign-in, Multi-Factor Authentication MFA pushes a notification to the Microsoft Authenticator app on the user's smartphone or tablet. The user simply taps Approve or enters a PIN or biometric and taps "Authenticate" in the app to complete their sign-in.
When you change a user's UPN, the old UPN still displays on the user account and a notification might not be received. Verification codes continue to work. If a notification is received, instruct the user to dismiss the notification, open the Authenticator app, tap the "Check for notifications" option and approve the MFA prompt. After this, the UPN displayed on the account will be updated.
Note the updated UPN might be displayed as a new account, this is due to other Authenticator functionality being used. For more information refer to the additional known issues in this article. Device identification - The broker accesses the device certificate created on the device when it was workplace joined. Application identification verification - When an application calls the broker, it passes its redirect URL, and the broker verifies it.
Additionally, it allows applications to participate in more advanced features such as Conditional Access , and supports Microsoft Intune scenarios.
Workaround The user needs to manually remove the account from Microsoft Authenticator and start a new sign-in from a broker-assisted application. The account will be automatically added after the initial authentication. Device registration allows the device to authenticate to Azure AD and is a requirement for the following scenarios:.
There is no change in the normal functionality of Device Registration or the dependant scenarios. Workaround To remove all references to the old UPN on the Microsoft Authenticator app, instruct the user to manually remove both the old and new accounts from Microsoft Authenticator, re-register for MFA and rejoin the device.
Phone sign-in allows users to sign in to Azure AD without a password. To enable phone sign-in, the user needs to register for MFA using the Authenticator app and then enable phone sign-in directly on Authenticator. As part of the configuration, the device registers with Azure AD. Otherwise, the sync process fails, and you may receive an error message that resembles the following example:.
Unable to update this object in Microsoft Online Services because the user principal name that is associated with this object in the local Active Directory is already associated with another object. To resolve this error, remove the associated object in your local Active Directory. UPN soft match is automatically enabled for organizations that started syncing to Azure AD on or after March 30, Force directory synchronization. For more information, see Force directory synchronization.
Still need help? Skip to main content. This browser is no longer supported.
0コメント