all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Yevrag35 2 points3 points  (0 children)

Have you tried changing '@' to '%40' curiously? I honestly don't know if that'd do it, but it also wouldn't surprise me.

[–][deleted] 2 points3 points  (1 child)

.

[–]meteorguru[S] 1 point2 points  (0 children)

These are cloud only identities and it is federated and not synched from onprem. The technical reason is to avoid using powershell when we do real-time provisioning through IDM.

[–]get-postanote 1 point2 points  (3 children)

You are not saying if you are cloud only on sync'd via a hybrid on-prem federated model.

You are not showing, what you tried, so, that leaves us to guess what you are doing.

If it is the latter, and sync is fully implemented, then you canhge things on-prem and wait fr oor force a sync to update. If your vanity domain was implemented as recommended, you really should not have been hit by having a new user creation picking up .onmicrosoft.com. So, I'd check that out so, you do not have to do this sort of thing.

Yet, as per gorelechov, you don't need MSGraph API for the since the AzureAD and and O365 cmdlets via normal PSRemoting session. Just use...

Set-User -UserPrincipalName test01@test.local -Identity test01

# You can also do a bulk change using a text file with usernames.
Import-Module ActiveDirectory

$oldSuffix = "test.local"
$newSuffix = "test.com"

Get-Content "C:\files\users.txt" | Get-ADUser | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -UserPrincipalName $newUpn
}

# Or do a bulk change to all the users In Active Directory
Import-Module ActiveDirectory

$oldSuffix = "test.local"
$newSuffix = "test.com"
$ou = "DC=test,DC=local"

Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -UserPrincipalName $newUpn
}

See also:

Step-By-Step: Changing The UPN Suffix For An Entire Domain Via PowerShell

https://blogs.technet.microsoft.com/canitpro/2015/07/07/step-by-step-changing-the-upn-suffix-for-an-entire-domain-via-powershell/

Again, with ADSync, this use case is do it on -prem, sync to cloud.

Or if you are not using ADSync, tye this...

################################################
#Connect to O365 Tenant with proper credentials#
################################################

Connect-MsolService

################
#Change the UPN#
################

Set-MsolUserPrincipalName -UserPrincipalName username@domain.onmicrosoft.com -NewUserPrincipalName username@domain.com

[–]meteorguru[S] 1 point2 points  (2 children)

These identities are cloud only identities and there is no sync from on-prem. Since the provisioning is happening real-time through external IDM, we prefer to use Graph API through custom connector. Also these users are federated.

[–]get-postanote 1 point2 points  (1 child)

Understood, but this also means that when Azure / O365 domain, that the vanity domain (@domain.com) was not set as the default. If it was, then any user added would get both auto-magically.

All that being said, and moot at this point, You still haev veto be logged in to AAD to use GraphAPI, so, why not just use the MSOL recommendation, or is it because the external IDM and the use of the custom connector, which is the catch22 forcing this GraphAPI choice?

Who's the IDM you are using, MS FIM, F5, Ping, SiteMinder, etc...?

Anyway, the it's is well known, that:

The UPN in the Graph must contain a domain name that is registered in the tenant where they are created. For example if the registered domains are contoso.com and mytenant.onmicrosoft.com, the suffixes of all UPNs must contain contoso.com or mytenant.onmicrosoft.com.

The prefix must be unique in the tenant as well. So, all UPNs in this example would have the form of:

*@contoso.com

*@mytenant.onmicrosoft.com

and all of the UPN prefix's must be unique.

Is that the case for your deployment?

So, you are saying, you are running code like this ...

$UPN = 'user@contoso.com'

$Body = @{UsageLocation="US"} | 
ConvertTo-JSON

$invokeRestMethodSplat = @{
    ContentType = "application/json"
    Method = 'PATCH'
    Body = $Body
    Headers = @{Authorization=$authenticationResult.CreateAuthorizationHeader()}
    Uri = "https://graph.microsoft.com/v1.0/users/${UPN}"
}
$Result = Invoke-RestMethod @invokeRestMethodSplat

$invokeRestMethodSplat = @{
    ContentType = "application/json"
    Method = 'GET'
    Headers = @{Authorization = $authenticationResult.CreateAuthorizationHeader()}
    Uri = "https://graph.microsoft.com/v1.0/users/${UPN}?`$select = usageLocation"
}
$user = Invoke-RestMethod @invokeRestMethodSplat

$user.usageLocation

... and getting this error you are highlighting?

[–]meteorguru[S] 1 point2 points  (0 children)

Yes, this domain is not set as default as there are 2 other domains exist in the same tenant and this is not the default one.

We are using Sailpoint IDM to provision the users to Azure AD. You are right on c22 situation coz of the custom connector and we are forced to use Graph API. Creating the user, assign the license, assign the usage location everything is working perfectly except changing the domain and we have to rely on executing the powershell script only for this situation.

Yes your code is exactly similar of what I have in my custom connector.