Overview
When connecting an on-premises Active Directory to Azure AD or Microsoft 365, your cloud services need to recognize the domain name your users will log in with. This is configured by adding an alternative UPN (User Principal Name) suffix to Active Directory – essentially registering an additional domain name that can be used as a logon identifier alongside your existing internal domain.
In this example, the internal AD domain is examlab.practice.com and the additional domain to be added is abc.corp.com. After completing this configuration, users can be assigned logon names like jane.doe@abc.corp.com, which aligns with their Microsoft 365 or email address and enables Seamless Single Sign-On (SSO).
Prerequisites
- Active Directory domain controller running Windows Server 2008 R2 or later
- Domain Admin or Enterprise Admin permissions
- DNS server role installed and accessible
- The additional domain name you want to register (e.g., abc.corp.com)
Part 1 – Verify DNS Accessibility
Your AD domain’s DNS server must be accessible from the internet so that cloud services can validate domain ownership. Open Server Manager, go to Tools, and select DNS to confirm the DNS role is installed and configured.
Part 2 – Create a DNS Forward Lookup Zone
To support the additional domain name in DNS, create a new Forward Lookup Zone for the additional domain. This zone will hold the DNS records for abc.corp.com.
Step 1 – Open the New Zone Wizard
In DNS Manager, expand your server, right-click Forward Lookup Zones, and select New Zone.
Step 2 – Configure Zone Name and File
Work through the wizard with these settings:
- Zone Type: Primary zone
- Zone Name:
abc.corp.com(your additional domain name) - Zone File: Create a new file – the wizard will default to
abc.corp.com.dns - Dynamic Updates: Do not allow dynamic updates
Click Next through each page, then Finish.
Part 3 – Add the UPN Suffix in Active Directory Domains and Trusts
Creating the DNS zone alone is not enough – you also need to register the additional domain name as an alternative UPN suffix in Active Directory. Without this step, the domain will not appear in the UPN dropdown when editing user accounts.
Step 3 – Open Active Directory Domains and Trusts
In Server Manager, go to Tools and open Active Directory Domains and Trusts. In the console, right-click the top-level Active Directory Domains and Trusts node (not your specific domain – the root node itself) and select Properties.
Step 4 – Add the Alternative UPN Suffix
In the Properties dialog, locate the Alternative UPN Suffixes field. Type your additional domain name – for example abc.corp.com – and click Add. Click OK to apply.
Part 4 – Assign the New UPN to Users
Now that the suffix is registered, open Active Directory Users and Computers, navigate to the user whose logon name you want to update, right-click and select Properties. On the Account tab, the UPN suffix dropdown will now include abc.corp.com as an option.
Important Considerations
DNS Validation
For cloud services like Microsoft 365 to recognize the domain, your DNS server must be internet-facing. Microsoft’s servers will attempt to query your DNS to verify ownership of the domain. Ensure your DNS server is reachable from the internet before attempting to add the domain to Microsoft 365 or Azure AD.
Domain Ownership
Microsoft 365 will query your internet-facing DNS server to confirm you own and control the domain name. You will need to add a TXT verification record to the DNS zone you created before Microsoft will activate the domain for your tenant.
Hybrid Readiness
Setting up these UPN suffixes ensures your on-premises AD and cloud environment are aligned for hybrid scenarios – including Seamless SSO with Azure AD Connect and email migration to Exchange Online. Users assigned the new UPN suffix will be able to use that address as their primary logon identity across both environments.