Introduction
Microsoft 365 hybrid environments rely on Entra Connect to synchronize identities between on-premises Active Directory and the cloud. While synchronization works seamlessly most of the time, there is a critical behavior that often catches even experienced administrators off guard:
Domain verification triggers an automatic, forced reconciliation of all User Principal Names (UPNs).
This article explains:
The Scenario That Causes Panic
On-Premises Active Directory
Synced to Entra ID
Manual Cloud Fix (PowerShell)
Update-MgUser
Everything appears stable.
Then you add a new domain — for example:
You add the TXT record and click Verify.
Within minutes:
After Domain Verification
The cloud change is automatically overwritten.
Technical Deep Dive: Normal Sync vs Domain Verification
1. Regular Delta Sync (Every 30 Minutes)
Azure AD Connect (Entra Connect) uses a delta sync process during normal operation.
Key characteristics:
This is why manual UPN updates in the cloud survive normal sync cycles. Since the on-premises UPN (971015@...) has not changed, Entra Connect does not overwrite it.
2. Domain Verification Event (The Real Trigger)
When you verify a domain in Microsoft 365, a completely different internal process is triggered.
This is:
NOT a standard sync operation
NOT a delta sync
An internal Entra ID reconciliation process
Executed immediately
Bypasses normal sync rules
Microsoft makes two internal assumptions:
As a result, Entra performs a forced UPN reconciliation.
What Does NOT Trigger UPN Changes
The following actions do NOT trigger UPN reconciliation:
Adding a domain in on-premises Active Directory
Regular 30-minute delta sync cycles
Manual delta sync (Start-ADSyncSyncCycle)
Adding MX records
Adding CNAME records
Adding SPF, DKIM, or DMARC records
Setting a domain as default
Assigning a domain to users
Removing old domains
What DOES Trigger UPN Reconciliation
The following actions WILL trigger reconciliation:
Important:
The domain being verified does not even need to be assigned to users. The act of verification itself is enough.
Solutions to Mitigate This Issue
1. Correct On-Premises UPN First
This ensures cloud UPNs already match on-premises values.
2. Post-Verification Correction Strategy
If you must verify first:
Step 1: Export full user list before verification
Include:
Display Name
Current UPN
Email address
Step 2: Verify the domain
All cloud UPN prefixes will revert to match on-premises UPN.
Step 3: Export full user list again
Step 4: Create a CSV with:
Step 5: Use PowerShell to correct UPNs
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.ReadWrite.All"
Import-Csv "C:\path\to\file.csv" | ForEach-Object {
Update-MgUser -UserId $_.UPN -UserPrincipalName $_.NewUPN
}
Frequently Asked Questions
Q: Will verifying a domain I never use affect my users?
A: Yes. Any verified domain triggers reconciliation for all users whose on-premises UPN suffix matches.
Q: Does this affect cloud-only users?
A: No. It only affects users synchronized from on-premises AD via Entra Connect.
Q: What if I need multiple domains for email but want a single login UPN?
A: Keep the on-premises UPN consistent (for example, @company.com) and use alternate email addresses for other domains.
Q: Does removing and re-adding the domain help?
A: No. The reconciliation process occurs every time the domain is verified.
Final Thoughts
Domain verification in Microsoft 365 is not just a DNS validation step. In hybrid environments, it triggers a powerful internal reconciliation process that treats on-premises Active Directory as authoritative.
Understanding this behavior helps prevent unexpected UPN reversions and avoids emergency remediation after domain verification.