Updating MOERA Address for AD Connect Synchronized User in 2024

Mirko — Mon, 21 Oct 2024 08:18:44 +0000

Let's say that you want to change the username and email of a user inside your Microsoft Entra ID tenant.
You can change the username easyly from Microsoft 365 admin center, and the primary email address as well, but what about the @<your-domain>.onmicrosoft.com?

That's the MOERA address, Microsoft Online Email Routing Address, and for whatever reason, you can't change it for "on-prem" accounts but you can for "cloud only" accounts.

The Plan

Here’s what you need to do:

Convert the user to a cloud-only account
Change the username and email address, including MOERA
Convert the user to a on-prem account again

Disclaimer

This procedure is not officially supported by Microsoft, so proceed at your own risk. While I have tested it within my company, I am not an expert and cannot be held responsible for any errors or issues that may arise.

Please, before continuing, read Plan and troubleshoot User Principal Name changes in Microsoft Entra ID from Microsoft documentation.

The Procedure

I'll show you the steps using a test account called "Bob Migration". I'll change the username from b.migration.ext@<redacted-domain> to b.migration@<redacted-domain>. Here is a screenshot to show the starting situation in Microsoft 365 admin center:

1. Assign directly a license

To ensure that the user keeps the Outlook and Teams license during the whole process it is better to have a direct assignment instead of inheriting a license from a group. In this case I use a Microsoft 365 Business Basic.

2. Move the user to a non-sync OU

In Active Directory, move the user to a non-sync OU. This has the effect of moving the user to the recycle bin of Entra ID (i.e. the user will be soft deleted).
Remember to force the Azue AD Connect sync:

Start-ADSyncSyncCycle -PolicyType Delta

3. Restore the user from the recycle bin

Now you need to restore the user from the recycle bin. Do it from the Azure Portal, so you are not forced to set a new password.
Navigate to "Microsoft Entra ID" -> "Users" -> "Deleted users", search for the user to restore, select it and click "Restore users".

4. Change the email address of the user's mailbox

Go to Exchange admin center and open the user's mailbox details.
Here click on "Manage email address types" and edit the primary SMTP address, the MOERA address (@.onmicrosoft.com) and the SIP address. If you want to receive the emails written at the old address, leave those in.
Also change the mailbox alias by clicking on "Manage contact information".

5. Change the username

In Microsoft 365 admin center open the user details panel and click on "Manage username and email":

Here change the "Primary email address and username" and the alias *@.onmicrosoft.com. The old username will be added as an alias. You can leave it if you want to receive the emails written at the old address.
Once you are done click on save changes.

6. Back to Active Directory, change attributes to match the cloud account

Open the user in Active Directory and change:

Under the "Account" tab, the user logon name to match the new username, without the @ part
Under the "Attribute editor" tab, the proxyAddresses field to match the addresses set in "Manage email address types" in step 4.

7. Time to restore the sync from Active Directory to Entra ID

In my tests I've found that if I simply sync the user again, by moving it to the correct OU, the status shown in Microsoft 365 admin center remains "cloud-only". Looking at the logs in Synchronization Service Manager there was an error indicating that the writes to the "onPremise*" attributes had failed. All other operations were successful, including adding the user to other groups, but the synchronization status continued to display as "cloud-only".

At the end, I've tried to move to the recycle bin the user from Azure Portal and let the sync tool restore it, and it worked. ¡Órale! 🎉

So, to soft delete the user go to Azure Portal, navigate to the Users menu, open the user details and delete the user.

From Active Directory, move the user to a syncing OU and force the sync.

Start-ADSyncSyncCycle -PolicyType Delta

Now the user should be restored with the new username and MOERA address. Wait 10-15 minutes for Entra ID to process the user, then you should be able to login into Outlook and Teams. This can take longer if the servers are under load, I've experienced waiting time up to 30 min.

If you have trouble entering the app, clear the browser cookies and login into Outlook from outlook.office.com. If you have trouble with Teams, try to login from the desktop app.

Conclusions

I'm not an Active Directory expert, I'm a software engineer, but when I heared my collegues talking about this, having trouble with "Immutable IDs" and the synchronization status stuck at "cloud-only", I decided to challenge myself and my problem solving skills (and my patience).

A huge thanks goes to my collegue Lorenzo Scanu and to a LinkedIn post that he found, How to change the MOERA address of synchronized user objects, that I've followed to come up with points 1-5.

If you have any suggestion on how to improve this, please leave a comment. Maybe in the future I'll automate this process with a Powershell script.

If you want to reach out you can text me on LinkedIn or write an email to mirko.passoli at gmail.com.

DEV Community: Mirko