Skip to main content
日本語 简体中文 繁體中文

[Access Control] Change the UPN of non-user objects to the onmicrosoft.com domain

Description

This article explains the procedure for excluding specific objects (such as rooms, equipment, shared mailboxes, etc.) from synchronization in environments where user synchronization is performed from Microsoft 365 using Access Control Directory Sync.

Notes

  1. The content of this article is based on the product specifications as of May 2026 and may be subject to change without notice.
  2. It may take some time for these settings to be reflected in the Microsoft 365 admin center.
  3. The target objects for these settings are based on Microsoft 365 specifications. For details, please contact Microsoft.

Procedure

Pre-checks

  1. Refer to the following article to connect to Microsoft 365 using Microsoft Graph PowerShell.
    Connect to Microsoft 365 using Microsoft Graph PowerShell

Executing PowerShell Commands

  1. Open [Windows Start], then open [Windows PowerShell] with administrator privileges.

    Make sure that [Administrator] is displayed in the upper left of the opened PowerShell window.

  2. Run the following command to connect to Microsoft Graph.

    Connect-MgGraph -Scopes "Organization.Read.All","User.ReadWrite.All"
  3. If prompted for Microsoft 365 credentials, sign in to Microsoft 365 with an account that has Global admin role and click [Accept].

  4. Run the following command.

    Command example:
    - For -UserID, specify the current custom domain UserPrincipalName.
    - For -UserPrincipalName, specify the UserPrincipalName with the domain part changed to the onmicrosoft.com domain.

    Update-MgUser `
-UserID "XXX@example.com" `
-UserPrincipalName "XXX@YYY.onmicrosoft.com"

  5. Next, run the following command to check the UPN and email address.

    Get-MgUser -UserID "XXX@YYY.onmicrosoft.com"

    ・Confirm that the UPN has been changed to the value entered in step 4.
    ・Confirm that the email address has also been changed to the same value.
    ・If you do not need to modify the email address, proceed to step 8 [Disconnect from Microsoft Graph].

  6. Since the primary email address will be changed along with the UPN change, run the following command to revert the primary email address.

    Command example:
    - For -UserID, specify the onmicrosoft.com domain UserPrincipalName changed in step 5.
    - For -Mail, specify the primary email address you want to set.

    Update-MgUser `
-UserID "XXX@YYY.onmicrosoft.com" `
-Mail "XXX@example.com"

  7. Run the following command again to confirm the email address.

    Get-MgUser -UserID "XXX@YYY.onmicrosoft.com"

    Confirm that the primary email address displayed in [Mail] has been changed to the value entered in step 6.

  8. Run the following command to disconnect from Microsoft Graph.

    Disconnect-MgGraph

    * With the [Connect-MgGraph] command, you will not be prompted to sign in the next time you start, and the previously authenticated credentials will be retained. To ensure you are signed out, please run [Disconnect-MgGraph].