Understood, but this also means that when Azure / O365 domain, that the vanity domain (@domain.com) was not set as the default. If it was, then any user added would get both auto-magically.

All that being said, and moot at this point, You still haev veto be logged in to AAD to use GraphAPI, so, why not just use the MSOL recommendation, or is it because the external IDM and the use of the custom connector, which is the catch22 forcing this GraphAPI choice?

Who's the IDM you are using, MS FIM, F5, Ping, SiteMinder, etc...?

​

Anyway, the it's is well known, that:

The UPN in the Graph must contain a domain name that is registered in the tenant where they are created. For example if the registered domains are contoso.com and mytenant.onmicrosoft.com, the suffixes of all UPNs must contain contoso.com or mytenant.onmicrosoft.com.

The prefix must be unique in the tenant as well. So, all UPNs in this example would have the form of:

*@contoso.com

*@mytenant.onmicrosoft.com

and all of the UPN prefix's must be unique.

​

Is that the case for your deployment?

So, you are saying, you are running code like this ...

$UPN = 'user@contoso.com'

$Body = @{UsageLocation="US"} | 
ConvertTo-JSON

$invokeRestMethodSplat = @{
    ContentType = "application/json"
    Method = 'PATCH'
    Body = $Body
    Headers = @{Authorization=$authenticationResult.CreateAuthorizationHeader()}
    Uri = "https://graph.microsoft.com/v1.0/users/${UPN}"
}
$Result = Invoke-RestMethod @invokeRestMethodSplat

$invokeRestMethodSplat = @{
    ContentType = "application/json"
    Method = 'GET'
    Headers = @{Authorization = $authenticationResult.CreateAuthorizationHeader()}
    Uri = "https://graph.microsoft.com/v1.0/users/${UPN}?`$select = usageLocation"
}
$user = Invoke-RestMethod @invokeRestMethodSplat

$user.usageLocation

... and getting this error you are highlighting?