Non-routable domain identities sync interrogations
I have a fair prior experience with hybrid identities but never came across a non-routable domain and the head-hache that comes with it.
I just started a contract with a new client. They’ve created their company.onmicrosoft .com tenant and started to create their identities with their company.com suffix and affect licenses so they can use teams, exchange online etc.
It is really bad because since they didn’t configured adconnect to synchronize their local identities in the cloud, their users have 2 identities (2 passwords): 1 for logging locally on their workstation and another one for accessing o365 services… Of course users are not happy about it.
My concern is the fact that their local domain is named whatever.local and does not contain their onmicrosoft tenant’s name at all…
I’ve read multiple blogs, TechNet articles related to none-routable domain and how I could federate it but most of these articles are using “@company.local” suffixe examples which is not hard to understand that adding the same federated suffixe can match the onmicrosoft tenant.
But in my case, the local domain doesn’t even match the “@company.com” in any way.
My questions are :
– Is it possible to still add [“@company.com](mailto:”@company.com)” to their local suffixes even though their forest/domain does not contain the company name ? Users will still be able log in using their samaccountname attribute ?
– If it’s doable and that we modify their upns to match their already created identities in the cloud, will their local identites merge with the existing one in the AzureAD ?
Thanks a lot for your help in advance !