In this case there was O365 tenant with multiple federated domains. And after changing the UPN suffix for several users in on premise domain, those changes were not replicated in Azure AD. There was an error generated with following description:
There is a support article published by Microsoft with two workarounds on https://support.microsoft.com/en-us/help/2669550/changes-aren-t-synced-by-the-azure-active-directory-sync-tool-after-yo .
In previous cases Set-AzureADUser -ObjectId [DefaultDomainUPN] -UserPrincipalName [NewUPN], was sufficient for resolving the issues with Azure AD synchronization. Unfortunately, in this case executing this cmdlet generated the following error:
"Property passwordProfile.password value is required but is empty or missing" for the federated user, with ADFS configured and functional ?
Anyway, in order to resolve the issue, I've created new Microsoft.Open.AzureAD.Model.PasswordProfile object with "Password" and "ForceChangePasswordNextLogin" properties. Here is the powershell:
Now, I was able to execute the Set-AzureADUser with following syntax:
After successful execution of the above cmlets, Azure AD synchronization issues were solved successfully.
Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services.
There is a support article published by Microsoft with two workarounds on https://support.microsoft.com/en-us/help/2669550/changes-aren-t-synced-by-the-azure-active-directory-sync-tool-after-yo .
In previous cases Set-AzureADUser -ObjectId [DefaultDomainUPN] -UserPrincipalName [NewUPN], was sufficient for resolving the issues with Azure AD synchronization. Unfortunately, in this case executing this cmdlet generated the following error:
Set-AzureADUser : Error occurred while executing SetUser
Code: Request_BadRequest
Message: Property passwordProfile.password value is required but is empty or missing.Details: PropertyName - passwordProfile.password, PropertyErrorCode - PropertyRequired
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
"Property passwordProfile.password value is required but is empty or missing" for the federated user, with ADFS configured and functional ?
Anyway, in order to resolve the issue, I've created new Microsoft.Open.AzureAD.Model.PasswordProfile object with "Password" and "ForceChangePasswordNextLogin" properties. Here is the powershell:
$AADPP = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$AADPP.Password = “strongP@ssw0rd1!”
$AADPP.ForceChangePasswordNextLogin = “False”
Now, I was able to execute the Set-AzureADUser with following syntax:
Set-AzureADUser -ObjectId [oldDomUPN] -UserPrincipalName [tenant.onmicrosoft.com] -PasswordProfile $AADPP
Set-AzureADUser -ObjectId [tenant.onmicrosoft.com] -UserPrincipalName [NewDomainUPN]
After successful execution of the above cmlets, Azure AD synchronization issues were solved successfully.
