Export (0) Print
Expand All

Clean Up Active Directory

Applies To: Azure, Office 365, Windows Intune

Your Active Directory environment must be properly configured in order to work with single sign-on. In particular, the userPrincipalName (UPN) attribute, also known as a user logon name, must be set up for each user in a specific way.

ImportantImportant
If Active Directory cleanup is not performed before the deployment process, there can be a significant negative impact to the directory synchronization and on-boarding process. It could take days, or even weeks, to iterate through the cycle of directory syncing, identifying syncing errors, and re-syncing.

In your organization’s Active Directory forest, perform the following clean-up tasks:

  • Ensure each user that is assigned Office 365 service offerings has a valid and unique email address. Remove any duplicate values in the ProxyAddress attribute field and UserPrincipalName that exists in your forest.

  • Populate the following username attributes:

    • First Name

    • Last Name

    • Display Name

      noteNote
      For a better user experience and more complete global address list (GAL), do not leave these Username attributes blank.

  • For optimal use of the Global Address List (GAL), populate the following GAL attributes:

    • Job Title

    • Department

    • Office

    • Office Phone

    • Mobile Phone

    • Fax Number

    • Street Address

    • City

    • State or Province

    • Country or Region

Successful directory synchronization between your on-premises Active Directory environment directory and Office 365 requires that your on-premises directory objects and attributes are properly prepared. For example, you will need to ensure that specific characters are not used in certain Active Directory objects and attributes that are synchronized with the Office 365 environment. These objects and attributes include:

  1. userPrincipalName

  2. sAMAccountName

  3. proxyAddresses

  4. givenName

  5. sn (surname)

  6. displayName

  7. mailNickname (Exchange alias)

  8. mail

For details about valid characters associated with these attributes and about additional attribute requirements, see Appendix E Directory Object Preparation.

It is required that the targetAddress attribute (for example, SMTP:John.Doe@contoso.com) that is populated for the user must appear in the Exchange Online Global Address List. In third-party messaging migration scenarios, this would require the Exchange schema extension for the on-premises Active Directory. The Exchange schema extension would also add other useful attributes to manage Office 365 objects that are populated using the Azure Active Directory Sync tool from on-premises. For example, the msExchHideFromAddressLists attribute to manage hidden mailboxes or distribution groups would be added. For more information, see Third-party mail migration to Office 365 – fixes and tips.

Successful directory synchronization between your on-premises Active Directory environment directory and Office 365 requires that your on-premises directory objects and attributes are properly prepared. For example, you will need to ensure that specific characters are not used in certain Active Directory objects and attributes that are synchronized with the Office 365 environment. These objects and attributes include:

  • userPrincipalName

  • sAMAccountName

  • proxyAddresses

  • givenName

  • sn (surname)

  • displayName

  • mailNickname (Exchange alias)

  • mail

You must add an alternative UPN suffix to associate the user’s corporate credentials with the Office 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.

  1. Click Start, Administrative Tools, and then click Active Directory Domains and Trusts.

  2. Log on to one your organization’s Active Directory domain controllers.

  3. In the console tree, right-click Active Directory Domains and Trusts and then click Properties.

  4. Select the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.

  5. Repeat step 3 to add additional alternative UPN suffixes.

If your Active Directory domain name ends with a “.local” suffix, you will need to set a UPN that can be registered with Office 365. It is recommended that you use something familiar to the user, such as his or her email domain.

If you have not yet set up Active Directory synchronization, you can skip this task and continue with the next section.

If you have already set up Active Directory synchronization, the user’s UPN for Office 365 may not match the user’s on-premises UPN defined in Active Directory. This can occur when a user was assigned a license before the domain was verified. To remedy this issue, use Windows PowerShell to update users’ UPNs to ensure that their Office 365 UPN matches their corporate user name and domain.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft