Update UPN for group of users or all users in domain

There can be situation when you will need to update UPN for your users in domain. In my situation this change helped to solve my SAML SSO integrations via OKTA with other apps.

My internal Active Directory domain is corp.COMPANY.com and short COMPANY, in our SSO provider OKTA this domain gets translated to COMPANY.com but it is not good solution as sometimes even when you modify user profile in OKTA for SAML insertion to show user_login as fName.LName@COMPANY.com … OKTA will push in SAML insertion fName.LName@corpCOMPANY.com. This is a mismatch and causing your SAML integration to fail. Specifically I have found this case to be with few SaaS based solutions such as Netsuite, Slack, OneTrust, AnaPlan and others.

Easy fix to this is make sure that your SSO provider sends correct information in the SAML and you can fix it easily with changing UPN for your users. You can change UPN for individual users, group of users or the best it is to change for all users in domain. This way it is done and your SAML integration will work like charm šŸ™‚

Here is PowerShell script to change the UPN for all users in USERS:

Import-Module ActiveDirectory
$oldSuffix = "corp.COMPANY.com"
$newSuffix = "COMPANY.com"
$ou = "CN=Users,DC=corp,DC=COMPANY,DC=com"
$server = "DC1SRV"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn

Once run, your user will get update and listed UPN also as COMPANY.com in Active Directory.