O365 - federated domain users who aren’t in On Prem AD

I’m seeing a small but strange issue in an environment that has Okta, on prem AD, Azure AD and O365.  

There are users in Azure/O365 with usernames using the federated domain.com, however I do not see them in on prem AD. They are classified as “in-cloud”.
So how come if I try and create another user in Azure or O365, I cannot specify the same domain.com in its username since I get an error that the domain is federated?
garryshapeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
it might be possible that they have created initially with default onmicrosoft domain and afterword through command line there domain has changed to federated one

Ex:

Get-Msoluser -UserPrincipalName user1@tenant.onmicrosoft.com | Set-Msoluser -UserPrincipalName user1@federateddomain.com

Open in new window


The above cmdlets are old and you need to use new Azure AD module for same
https://support.microsoft.com/en-in/help/2669550/changes-aren-t-synced-by-the-azure-active-directory-sync-tool-after-yo

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garryshapeAuthor Commented:
I tried that but what happens is I get this error:
Set-MsolUserPrincipalName : You must provide a required property: Parameter name: FederatedUser.SourceAnchor

This indicates the user would need to be in Okta -- but the other users who are "in-cloud" and have the domain.com upn are not in Okta not AD.

That's why I'm wondering if maybe they were setup at a different time perhaps before the Domain was federated.  

Is there a way to see when the Domain was federated ?
MaheshArchitectCommented:
have you created test user (cloud only) with tenant.onmicrosoft.com as UPN and latter tried command line to change UPN to federated one?

Also do you using Azure AD Connect for sync or you are using any tool from OKTA for same?
Ensure Business Longevity with As-A-Service

Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.

Download eBook
garryshapeAuthor Commented:
Yes I tried setting it to federated one but got:

Set-MsolUserPrincipalName : You must provide a required property: Parameter name: FederatedUser.SourceAnchor.    
Okta appears to have the users in its People database but doesn't provision to O365.  There are some federated domain users who don't appear in Okta and neither in  AD.
MaheshArchitectCommented:
it seems that users with federated domain showing as cloud only are created previously before you set O365 integration with OKTA (i.e federation)

are those users having active mailboxes?

If those are not in use, you can ignore them
OR
if you can create them in AD and sync to o365 with OKTA
garryshapeAuthor Commented:
Thanks yeah they were created before it was federated I learned.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.