hpsu1 (hpsu1) asked a question.
We are performing a tenant to tenant migration. In order to move the domain to the new tenant. OKTA manages the user provisioning for ourcompany.com.
I would like to know how filter the user and group proxy addresses to remove ourcomany.com addresses.
I will also need to filter the domain name ourcompany.com suffix from the userprincipalname.
Lastly, I need to filter ourcompany.com from the msRTCSIP-PrimaryUserAddress attribute.
I can accomplish this in AD Connect by modifying the following inbound rules in AD Connect ( for proxyaddresses and msRTCSIP-PrimaryUserAddress )
In from AD – User Common from Exchange
In from AD – User Common
In from AD – Group Common
In from AD - User Lync
For userprincipalname this is done with a custom outbound rule to replace ourcompany.com in the userprincipalname.
How can I achieve the same results using O365 provisioning (AD is the source of truth for all user accounts. Any help is appreciated
Hello @hpsu1 (hpsu1) Thank you for reaching out to our Community!
If you are using Provisioning for office 365, then you can change the username format from the Sign On tab of the Office application and use this expression substringBefore(user.email, '@') + "@domain.com". However if AD is the source of truth for all your users, then if you change the username within AD, at the next import this will propagate to Okta and then the new username format will be pushed to most of you application. Please keep in mind that a change of username will only be pushed to apps that have provisioning and manual action might be required, please see our article below on this matter:
https://support.okta.com/help/s/article/Application-Usernames-are-not-being-updated-automatically?language=en_US
Hope this helps!
Hi Paul,
First more details.
1.) You are correct we are using provisioning to O365
2.) AD is the source of truth for all users
Issue - if I change the username in AD, there are a number of systems bound to this (voicemail and SAP)
I would like to know if I can input the username as configured in AD abut write a modified username to O365.
AD UPN (Current) - user@foo.com --> OKTA Prtovisioning --> user@foo.com
AD UPN (Modified) - user@foo.com --> OKTA Provisioning --> user@foo.dev
AD ProxyAddr (Current) - user@foo.com --> OKTA Prtovisioning --> user@foo.com
user@boo.com --> OKTA Provisioning --> user@boo.com
AD ProxyAddr (Modified) - user@foo.com --> OKTA Prtovisioning --> $null
user@boo.com --> OKTA Provisioning --> user@boo.com
AD msRTCSIP-PrAddr (Current) - user@foo.com --> OKTA Provisioning --> user@foo.com
AD msRTCSIP-PrAddr (Modified) - user@foo.com --> OKTA Provisioning --> $null
In order to remove the foo.com domain from the O365 tenant any object configured with foo.com must be stripped from O365. (UPN, proxyaddresses and msRTCSIP-PrimaryUserAddress)
The catch is if I modify UPN in the AD source other applications break.
The ability to filter these 3 attributes to remove the domain exists within the sync rules in AD Connect I'm hoping OKTA can do the same.
Cheers,
DT