Azure AD/Entra-ID, syncing single domain on-prem environment, to single Azure tenant with multiple exchange mailbox domains

Question

We currently have our Azure tenant, with the verified domain "superiorproducts.com". We also have our on-prem traditional AD domain, which is "supprod.local", with 4 domain controllers. There exist other sister/subsidiary companies owned/under the superiorproducts company umbrella, however all computers at all companies are joined to and managed by the "supprod.local" domain, via VPN connection via vpn connection to the "supprod.local" domain. We have always used Office365, and hosted Exchange for email for all companies. In O365 and exchange, however, users' userID and mailbox do not all use the same domain, they use a domain in accordance with whatever company they work for.

So for example, Tommy works for Superior Products and Jimmy works for Reliance Technologies. While both Tommy and Jimmie's computers are both joined to the "supprod.local" domain, and both have domain users supprod\tommy, supprod\jimmy, Tommy's email address and userID in O365 is [email protected] and Jimmy's is [email protected].

So - I began my first attempt to sync our on-prem environment with Azure AD/Entra ID. I found out that in order to sync, the on prem domain must be routable, and match the domain of the Azure tenant (so supprod.local does not work). I went ahead and made an additional UPN suffix in AD "superiorproducts.com" and applied this to all domain users.

I installed cloud sync/cloud connect on one of our domain controllers and began the sync. To my horror, every single email mailbox and user in O365 was overwritten with @superiorproducts.com, essentially breaking every mailbox for every user that does not use a @superiorproducts.com mailbox.

So my questions are:

1. is it possible to sync a domain like this with Azure AD? An environment where all users share the same .local domain for their user and computer objects, but who use different domains in O365 for their email mailboxes?
2. If possible, how might this be approached, and what are the requirements to configure the on-prem environment properly so that when synced, the identities from on-prem don't overwrite the exchange mailbox settings for each user?

Does this make sense? Please let me know if there's anything more I can clarify about the situation.

Thank you in advance.

Answer 1

I went ahead and made an additional UPN suffix in AD "superiorproducts.com" and applied this to all domain users.

You error is there, you should had added Reliance Technologie UPN's to Jimmy in example, not superiorproducts.com.

Online it would had worked as your tenant got thoses domains added to them.

There a example from a domain I have, a .local and two UPN with different email DNS.

If possible, how might this be approached, and what are the requirements to configure the on-prem environment properly so that when synced, the identities from on-prem don't overwrite the exchange mailbox settings for each user?

The requirement is that reliancetechnologies.com must be valid inside the same tenant where superiorproducts.com is. I edited to add that note as in the question it seem only superiorproducts.com is valided inside the tenant.

Answer 2

The answer to both questions is Yes.

You need to add a UPN suffix in AD for every verified domain in Office 365. Then set the UPN suffix on each user account to the appropriate domain.

Tommy will sync to [email protected] and Jimmy will sync to [email protected].