Brian Reid – Microsoft 365 Subject Matter Expert

PowerShell Script To Update All UPN’s

This quick script will process all your user accounts in the domain and change the UPN for each of them to a new one, which you need to specify in the script in advance of running it. This script is useful for Office 365 Rich Coexistence (Hybrid) scenarios which require that the UPN (User Principal Name) for each account matches their email address.
Optionally you can add the UPN that you are going to use (your verified vanity domain in Office 365) to Active Directory Domains and Trusts. Adding the UPN extension to Active Directory Domains and Trusts allows you to select the UPN extension whilst creating users in this program, but you do not need to add the extension to Domains and Trusts to change a users UPN using the below script.
To run the script copy the below to a text file, saving it as Update-UPN.ps1. Change Then run this script from an Exchange Management Shell.
$upnExt = Read-Host “Please enter your UPN extension (excluding @)”$users = Get-User * -ResultSize Unlimited    
foreach($user in $users)
{
$UPN = “$($user.sAMAccountName)@” + $upnExt
Write-Host “Setting ” $UPN
$user | Set-User -UserPrincipalName $UPN
}
Tip: Comment out the Write-Host line with # if you do not want feedback on each user changed – it will make the script go much faster
Tip: For testing purposes change the * in the first line to the name of a test user or do something like test* to change all users starting with the word “test” in their username.

Posted

in

, , ,

by

Brian Reid

Tags:

Comments

2 responses to “PowerShell Script To Update All UPN’s”

  1. Anders B avatar
    Anders B

    Hi Brian.
    Nice blog =)

    An (somewhat more elaborate) approach is to check if the mail and last name attributes are present and use the mail attribute instead of samaccountname + email-domain, since most users will have easier to embrace using something they know such as their email address as UPN instead of samaccountname + email address.

    This of course has the drawback that the email-attribute has to be populated, but in a on-prem Exchange -> O365 scenario that is to be expected(?).

    How ever an PS-example would be something like this:
    [START OF PS-FILE]

    #################################
    # Function to verify that session
    # is running in elevated mode
    #################################
    Function CheckIfElevated
    {
    $identity = [Security.Principal.WindowsIdentity]::GetCurrent()
    $principal = new-object Security.Principal.WindowsPrincipal $identity
    $elevated = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

    if (-not $elevated)
    {
    $error = “`nThis script must be run”
    if ([System.Environment]::OSVersion.Version.Major -gt 5)
    {
    $error += ” in an elevated shell (Run as administrator)!`n”
    }
    else
    {
    $error += ” as Administrator!`n”
    }

    Write-Host “#######################################################################” -ForegroundColor Red
    Write-Host $error -ForegroundColor Red
    Write-Host “#######################################################################” -ForegroundColor Red
    exit
    }
    }

    #################################
    # Function to verify that Active
    # Directory module is loaded
    #################################
    Function Get-TheModule
    {
    Param([string]$name)
    if(-not(Get-Module -name $name))
    {
    if(Get-Module -ListAvailable | Where-Object { $_.name -eq $name })
    {
    Import-Module -Name $name
    Write-Host “Importing module $name to this session” -ForegroundColor Blue
    $true
    }
    else
    {
    $false
    }
    }
    else
    {
    Write-Host “$name is already loaded to this session” -ForegroundColor Green
    $true
    }
    }

    ### Check if session is in elevated mode

    CheckIfElevated

    ### Check and load Active Directory PowerShell Module

    $ModuleName = “ActiveDirectory”

    if (Get-TheModule -name $ModuleName)
    {
    Write-Host “Doing really interesting AD stuff…since $ModuleName exist and is loaded”
    get-aduser -Filter {mail -like “*” -and surname -like “*”} -Properties * | % {Set-ADUser $_ -UserPrincipalName ($_.mail)}
    }
    else
    {
    Write-Host “Hey dude/dudette! `n$ModuleName is not installed on this system`nInstalled modules:” -ForegroundColor Red
    Get-Module -ListAvailable | Select-Object Name
    }
    [END OF PS-FILE]

    Keep up the good work !
    /Anders B

    Reply
  2. Henrik Walther avatar
    Henrik Walther

    And if you want to do it the GUI way, you can use ADModify…

    /Henrik

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.