Changing the userPrincipalSuffix with Azure AD Connect

The userPrincipalName attribute in Active Directory is not always known by the users and might not be suitable as the sign-in ID. The Azure AD Connect sync installation wizard allows picking a different attribute, e.g. mail. But in some cases the attribute must be calculated.

The company Contoso has two Azure AD directories, one for production and one for testing. They want the users in their test tenant to just change the suffix in the sign-in ID.

Let’s take an example the company Contoso user’s UPN is set as JohnB@contoso.local, they wanted Sign ID to be The SMTP/ProxyAddress is different than the UPN like John.Basco@contosocom

Yes, can be done and Azure AD Connect Sync Declarative Provisioning Expressions

Note –  that this will not work with federation as the sign-in method. ADFS would not be able to find the user.

First, you have to launch the Synchronization Editor Rules tool on your ADConnect computer

When running the Synchronization Rule Editor, Look at “inbound” rule.

Select In from AD – User AccountEnabled and then edit



Edit inbound syncronisaiton rule and go to “Transformations”.

userPrincipalName <- Word([userPrincipalName],1,"@") & ""

Remove existing value and add this value Word([userPrincipalName],1,"@") & ""

In this expression we take everything left of the first @-sign (Word) and concatenate with a fixed string.






Comments (2)

  1. richard says:

    Hi Vinayak, Thanks for the article, that worked for me.
    I’m also trying to do a similar thing with the proxy addresses attribute.
    I can set easily enough a proxy attribute using an expression (to keep it simple, lets say I’m using:

  2. Johan Lysén says:

    This might be ok as well i think;

    IIF(IsPresent([userPrincipalName]),Word([userPrincipalName],1,”@”)&””, IIF(IsPresent([sAMAccountName]),([sAMAccountName]&””),Error(“AccountName is not present”)))

Skip to main content