Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
O365 - federated domain users who aren’t in On Prem AD
I’m seeing a small but strange issue in an environment that has Okta, on prem AD, Azure AD and O365.
There are users in Azure/O365 with usernames using the federated domain.com, however I do not see them in on prem AD. They are classified as “in-cloud”.
So how come if I try and create another user in Azure or O365, I cannot specify the same domain.com in its username since I get an error that the domain is federated?
There are users in Azure/O365 with usernames using the federated domain.com, however I do not see them in on prem AD. They are classified as “in-cloud”.
So how come if I try and create another user in Azure or O365, I cannot specify the same domain.com in its username since I get an error that the domain is federated?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
I tried that but what happens is I get this error:
Set-MsolUserPrincipalName : You must provide a required property: Parameter name: FederatedUser.SourceAnchor
This indicates the user would need to be in Okta -- but the other users who are "in-cloud" and have the domain.com upn are not in Okta not AD.
That's why I'm wondering if maybe they were setup at a different time perhaps before the Domain was federated.
Is there a way to see when the Domain was federated ?
Set-MsolUserPrincipalName : You must provide a required property: Parameter name: FederatedUser.SourceAnchor
This indicates the user would need to be in Okta -- but the other users who are "in-cloud" and have the domain.com upn are not in Okta not AD.
That's why I'm wondering if maybe they were setup at a different time perhaps before the Domain was federated.
Is there a way to see when the Domain was federated ?
have you created test user (cloud only) with tenant.onmicrosoft.com as UPN and latter tried command line to change UPN to federated one?
Also do you using Azure AD Connect for sync or you are using any tool from OKTA for same?
Also do you using Azure AD Connect for sync or you are using any tool from OKTA for same?
Yes I tried setting it to federated one but got:
Set-MsolUserPrincipalName : You must provide a required property: Parameter name: FederatedUser.SourceAnchor
Okta appears to have the users in its People database but doesn't provision to O365. There are some federated domain users who don't appear in Okta and neither in AD.
Set-MsolUserPrincipalName : You must provide a required property: Parameter name: FederatedUser.SourceAnchor
Okta appears to have the users in its People database but doesn't provision to O365. There are some federated domain users who don't appear in Okta and neither in AD.
it seems that users with federated domain showing as cloud only are created previously before you set O365 integration with OKTA (i.e federation)
are those users having active mailboxes?
If those are not in use, you can ignore them
OR
if you can create them in AD and sync to o365 with OKTA
are those users having active mailboxes?
If those are not in use, you can ignore them
OR
if you can create them in AD and sync to o365 with OKTA
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MCSE Microsoft Certified Systems Engineer - Identity … 440 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Excel 2007 Adva… 188 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - PowerPoint 2007… 229 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Ex:
Open in new window
The above cmdlets are old and you need to use new Azure AD module for same
https://support.microsoft.com/en-in/help/2669550/changes-aren-t-synced-by-the-azure-active-directory-sync-tool-after-yo