Question:

How does changing the primary domain name affect the AzureAD sign-in process for Pure AADJ devices?

I have a client who has a Pure AADJ environment and they want to change their primary domain name from [email protected] to [email protected]. All their devices are AzureAD Joined. I am wondering if this change will have any impact on how they sign in to AzureAD or if it will be seamless. Has anyone experienced a similar scenario or have any insights to share?

Thank you very much.

Answer:

How changing the primary domain name affects the AzureAD sign-in process for Pure AADJ devices

Azure Active Directory (AzureAD) is a cloud-based identity and access management service that provides secure sign-in and access to various Microsoft and third-party applications. AzureAD Join (AADJ) is a feature that allows devices to be directly joined to AzureAD without requiring a traditional Active Directory Domain Services (AD DS) domain.

One of the benefits of AADJ is that it simplifies the device management and user experience, especially for remote and mobile workers. Users can sign in to their devices using their AzureAD credentials, which are usually in the format of [email protected], where domain.com is the primary domain name of the AzureAD tenant.

However, what happens if the primary domain name of the AzureAD tenant changes? For example, suppose you have a client who has a Pure AADJ environment and they want to change their primary domain name from [email protected] to [email protected]. All their devices are AzureAD Joined. Will this change have any impact on how they sign in to AzureAD or will it be seamless?

The answer is that it depends on how the domain name change is implemented. There are two possible scenarios:

In this scenario, the old domain name (company.com) is not removed from the AzureAD tenant, but rather kept as an alias or a secondary domain name. The new domain name (mynewcompany.com) is added as the primary domain name and verified by Microsoft. This means that both [email protected] and [email protected] are valid user principal names (UPNs) for the same user account in AzureAD.

In this case, the domain name change will have minimal impact on the AzureAD sign-in process for Pure AADJ devices. Users can continue to sign in to their devices using their old UPNs ([email protected]) or their new UPNs ([email protected]). The device will automatically detect the UPN change and update the local cache accordingly. The user profile and settings will remain the same on the device.

However, there are some caveats to consider in this scenario:

• Users may experience some confusion or inconsistency when they see different UPNs on different applications or services. For example, some applications may show the old UPN ([email protected]) while others may show the new UPN ([email protected]). This may affect the user experience and satisfaction.
• Users may need to update their email signatures, business cards, and other communication materials to reflect the new UPN ([email protected]). This may incur some additional costs and efforts.
• Users may need to reconfigure some applications or services that rely on the UPN as the identity or authentication factor. For example, some VPN or MFA solutions may require the user to enter the UPN as part of the sign-in process. Users may need to change the UPN from [email protected] to [email protected] in these cases.

Scenario 2: The old domain name is removed from the AzureAD tenant

In this scenario, the old domain name (company.com) is completely removed from the AzureAD tenant, and only the new domain name (mynewcompany.com) is retained as the primary domain name. This means that [email protected] is no longer a valid UPN for the user account in AzureAD, and only [email protected] is accepted.

In this case, the domain name change will have a significant impact on the AzureAD sign-in process for Pure AADJ devices. Users will not be able to sign in to their devices using their old UPNs ([email protected]) anymore, and they will need to use their new UPNs ([email protected]) instead. However, the device will not automatically detect the UPN change and update the local cache. The user profile and settings will also be different on the device.

To resolve this issue, users will need to perform the following steps on their devices:

• Sign out of the device and sign in again using the new UPN ([email protected]).
• Reset the device PIN or password if required.
• Re-enroll the device in any device management or security solutions that are configured for the device, such as Intune, Windows Defender, or BitLocker.
• Re-sync the device settings and data with the cloud, such as OneDrive, Outlook, or Edge.
• Re-install or re-configure any applications or services that rely on the UPN as the identity or authentication factor, such as VPN or MFA solutions.

These steps may be time-consuming and disruptive for the users, and they may require some technical assistance or guidance from the IT support team.

Therefore, it is recommended to avoid this scenario if possible, and opt for the first scenario instead, where the old domain name is retained as an alias. This will ensure a smoother and seamless transition for the users and the devices.

Conclusion

Changing the primary domain name of the AzureAD tenant can have different effects on the AzureAD sign-in process for Pure AADJ devices, depending on how the domain name change is implemented. If the old domain name is retained as an alias, the impact will be minimal and users can use either the old or the new UPN to sign in to their devices. If the old domain name is removed from the AzureAD tenant, the impact will be significant and users will need to use the new UPN to sign in to their devices, and perform some additional steps to update their device settings and applications.

Therefore,

it is important to plan and communicate the domain name change carefully, and consider the implications and best practices for the users and the devices. This will help to avoid any potential issues or disruptions, and ensure a smooth and successful domain name change.