AZ-303 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-303 Exam - Question 164

You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network.

Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.

You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory.

You need to ensure that the users can use single-sign on (SSO) to access Azure resources.

What should you do first?

Show Answer
Correct Answer: B

To ensure that users can use single-sign on (SSO) to access Azure resources with their on-premises credentials, the first step is to add and verify a custom domain name in Azure AD. The issue arises due to a User Principal Name (UPN) mismatch between Azure AD and the on-premises Active Directory. When the domain in the UPN suffix is not verified in Azure AD, it defaults to the 'onmicrosoft.com' domain, causing login issues. By adding and verifying the custom domain that matches the on-premises Active Directory domain, you align UPNs across systems, thus enabling seamless SSO.

Discussion

8 comments
Sign in to comment
azurecert2021
Jan 15, 2021

correct UPN mismatch can be removed after adding domain of you on-prem to Azure AD, so option B is correct.

Bemsi49
Jan 15, 2021

Given Answer is correct. B

QiangQiang
May 1, 2021

Custom domain state and UPN It is important to ensure that there is a verified domain for the UPN suffix. John is a user in contoso.com. You want John to use the on-premises UPN john@contoso.com to sign in to Azure after you have synced users to your Azure AD directory contoso.onmicrosoft.com. To do so, you need to add and verify contoso.com as a custom domain in Azure AD before you can start syncing the users. If the UPN suffix of John, for example contoso.com, does not match a verified domain in Azure AD, then Azure AD replaces the UPN suffix with contoso.onmicrosoft.com.

syu31svc
Aug 29, 2021

When UserPrincipalName (UPN)/Alternate Login ID suffix is not verified with the Azure AD Tenant, then Azure Active Directory replaces the UPN suffixes with the default domain name "onmicrosoft.com". https://docs.microsoft.com/bs-latn-ba/azure/active-directory/hybrid/tshoot-connect-objectsync#upn-suffix-is-not-verified-with-azure-ad-tenant https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-manage Answer is B

TSMRE
Jun 8, 2021

On exam 6/7/21

JayBee65
Feb 13, 2022

John is a user in contoso.com. You want John to use the on-premises UPN john@contoso.com to sign in to Azure after you have synced users to your Azure AD directory contoso.onmicrosoft.com. To do so, you need to add and verify contoso.com as a custom domain in Azure AD before you can start syncing the users. If the UPN suffix of John, for example contoso.com, does not match a verified domain in Azure AD, then Azure AD replaces the UPN suffix with contoso.onmicrosoft.com. From https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#azure-ad-sign-in

lucky_777
Jan 15, 2022

threre's no real life answer: Use powershell command: Set-AzureADUser -ObjectId jdoe@contoso.onmicrosoft.com -UserPrincipalName jdoe@contoso.com to match AD UPN wit AAD UPN

[Removed]
Feb 24, 2022

Correct answer, once we add custom domain name