SCCM ConfigMgr Setup Co-Management AAD Connect UPN Suffix Sync Identities to Azure AD

On prem Active Directory user, groups, etc.. need to be synced with Azure AD. This sync is required to have a bridge between traditional & modern management. AAD Connect is the tool should be used to sync on prem user and groups with Azure AD. AAD connect is one of the prerequisites for Co-Management. In this post, we will help to Setup Co-Management AAD Connect & configure UPN Suffix.

Co-Management Related Posts

All Co Management Video Tutorial in one post here.

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 (This Post)
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

Setup UPN Suffix

UPN suffix setup is important to sync the users from on prem AD to Azure AD. We need to create UPN suffix according to your Azure AD UPN. And the user UPN suffix needs to be changed to have that user get synced with Azure AD.

Patch My PC

How to change the UPN values of users? The option is to go on premises AD and create new alternate UPN suffix as you can see in the following screen capture. How t0 Add a UPN Suffix to a Forest :-

  1. Open Active Directory Domains and Trusts.
  2. Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
  3. On the UPN Suffixes tab, type the new UPN suffix ( that you would like to add to the forest.
  4. Click Add, and then click OK.

Video Co-Management AAD Connect & UPN Suffix Configuration 

I have created a video tutorial to show how to install Azure AD connect. This video will help you understand the process to create UPN suffix for sync on prem users to Azure AD. This video will help you to understand Co-Management AAD Connect and UPN suffix configurations.

Watch this video on YouTube.

What is Azure AD Connect?

I use Azure AD to setup and test co-management in the lab environment. This is important for SCCM admins. However, in your organization, this should be handled by Active Directory team. Azure AD Connect helps to integrate your on-premises directories with AAD Directory.

1E Nomad

Azure AD and On-Prem AD identities sync allow you to provide a common identity for your users for Office 365, Azure, Intune, and SaaS applications integrated with Azure AD. This is one of the prerequisites for co-management. Following are the three(3) main components of Azure AD Connect.

AD FS (Optional)
Health Monitoring

Install & Configure Azure AD Connect

I used Express settings to install AAD Connect in the lab. However, there could be some particular requirement for your organization. You need to select customized settings when you have custom requirement select the customized settings during the installation. More details available in the documentation.

Following is the AAD connect installation process which I explained in the video tutorial.

Download Azure AD Connect
Install using Express settings
Install using Customized settings (Optional)
Upgrade from DirSync (Optional)
After installation checks

2 thoughts on “SCCM ConfigMgr Setup Co-Management AAD Connect UPN Suffix Sync Identities to Azure AD”

  1. Anoop,

    Maybe you can shed some light on the following question:
    I am implementing Windows Hello for Business with Hybrid Key Trust with W2016 DC’s etc.
    In 1 domain the customers use 2 or three different upn-suffixes like and to access the tenant in Azure. How will AD-connect synchronizes 2 quite different upn-suffixes. And will it work if Users log in with a PIN on their ADDJ devices to connect to resources on Premise (like printers and File-shares)?without the resources asking for their name/password.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.