When planning a hybrid Office365 deployment, consider your internal Active Directory domain name. If it is the same as your external DNS domain name, you have planned well and will go far in life.

If you’re me, you created an internal domain long before your team decided on an external domain (i.e. found the cheapest semi-professional domain for sale). This eventually put us in the awkward position of having

  • ‘capstone.internal’ AD Domain Name (with DNS zone name) and
  • ‘capstonebeststone.com’ external domain name. (not our real domain name)

With our exclusively on-premises Exchange environment, this setup does not cause mail flow problems because we can simply add ‘capstonebeststone.com’ as an accepted domain inside EAC -> mail flow.

Accepted Domains

If you have proper MX and SPF records, users are able to login as Capstone.internal\user but send and receive mail as user@capstonebeststone.com

However, this will not fly in a hybrid Office365 deployment. There are two ways to overcome this obstacle:

  1. Rename your AD domain – this can be a long procedure with potential risks such as completely wrecking your infrastructure.
  2. Add a UPN suffix to your domain and its users – A User Principal Name suffix is what follows the @ symbol in ‘user@domain.tld’ and represents an AD user object’s logon name in a domain. A user may have multiple UPN-suffix pairs, any of which may be used for domain authentication.

I have chosen to add a UPN suffix because it is the simpler of the two options to satisfy my objective of Office365 Single Sign-On (SSO) integration. We should add the UPN suffix to both the domain as a whole and to all existing mailbox-enabled users.

Inside Active Directory Domains and Trusts, right-click your domain and select Properties. type your desired UPN suffix, in this case our external domain, and click Add:

Adding root domain UPN suffix_ALT

To change a user’s UPN suffix, open their properties in Active Directory Users and Computers, navigate to the Account tab, and from the drop-down menu select your new UPN suffix (populated from the domain’s suffices).

Users suffix choices            Users new UPN suffix

Alternatively, you can add a UPN suffix to every domain user (or every user in a specific OU), setting it as their default using the following Powershell script, borrowed from JustinCredible at Spiceworks Script Center (also an IT Pro from Edmonton, AB coincidentally):

#Replace with the old suffix
$oldSuffix = 'old.suffix'     # = 'capstone.internal'

#Replace with the new suffix
$newSuffix = 'new.suffix'     # = 'capstoneisbeststone.ca'

#Replace with the OU you want to change suffixes for
$ou = "DC=sample,DC=domain"   # = "DC=capstone,DC=internal"
                              # = "OU=MailUsers,DC=capstone,DC=internal"

#Replace with the name of your AD server
$server = "test"              

Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn

Congratulations! Your user objects are now prepared for SSO integration with Office365, and you didn’t have to rename your domain to accomplish this.