Is there a way to setup Azure as a print server without a physical server onsite?

Would also like to push through installation through GPO and possibly by location

I would hope that Microsoft would add printer settings to the AzureAD/Intune features, but it doesn't appear possible yet (without on prem)

Eric Baumbach

In Azure Portal I can seem a few of our machined are registered pending.

1. How can I get them registered?
2. Do I need to get them registered? What will happen, or not happen if they stay "pending"?

I was looking into this because conditional access with MFA is not working properly with one of these "pending" machines. It is actually an RDS session host, so that may complicate it more. I do see a few standard workstations that are also in"pending" registered state.

Thanks in advance

I've added a guest users to my aad with the intention of allowing this user to access our Azure hosted web app. 

When the user clicks on the "getting started" button in the invitation email, he is brought to a screen that reads:

Hello

So when I read MS documentation, there seems to be Azure Cli module and REST API to create Management Groups and Subscription. For instance: https://docs.microsoft.com/en-us/rest/api/resources/managementgroups/createorupdate

For REST API, when I execute "Try It" from the link above, I authenticate manually to azure, it works.

Samething, if I run Azure Cli to list or create Management Groups, it seems to work, however, i have to user "az login" manually.

Now, what we're trying to do is doing the whole thin as automation that we use "Service Principal" to authenticate. However, Service Principal seems to be at the subscription scope??? Is that the right approach?

When I run using Service Principal, i got this error: 

Can someone point me the correct direction how we can automate the creation of Management Groups and Subscription in Azure? 

Thx

Hi,

I've sucessfully signedin using "Azure ADB2C" on my android app. but not able access my  asp.net core web api using the bearer token. The api is returning 401 "UnAuthorized error".

I am able to  access the same api from swagger UI and Postman.
.
I tried to access the api  from postman using bearer token  received on my mobile.The api returned with the 
Bearer error="invalid_token", error_description="The signature key was not found" 
Any help is greatly appreciated.

Regards,

Chandra Mohan

I perform the following steps:
1. Create and register a Service Principal in the portal (from Azure Active Directory -> App Registration). Have the token Key
2. Use REST API to create a Management Group using this Service Principal (view the code below)
3. Use REST API to grant 'Contributors' or 'Owner' or 'User Access Administrator' to an identity but keep getting error: 
'Tenant ID, application ID, principal ID, and scope are not allowed to be updated.'.

How I can get over with this?

More REST API codes as below
For creating the management group, i call:
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/gary2?api-version=2018-03-01-preview

Body: 
{
'id': '/providers/Microsoft.Management/managementGroups/gary2',
'type': '/providers/Microsoft.Management/managementGroups',
'name': 'gary2',
'properties': {
'tenantId': '20000000-0000-0000-0000-000000000000',
'displayName': 'gary2'
}
}
}


For REST API to grant access to the newly created group:
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/gary1/providers/Microsoft.Authorization/roleAssignments/b24988ac-6180-42a0-ab88-20f7382dd24c?api-version=2015-07-01

Body: 

{
'properties': {
'roleDefinitionId': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',
'principalId': '804cb9e6-8adc-48f6-9f76-3d93b3c1792c'
}
}


Keep getting the response error as:
{
'error': {
'code': 'RoleAssignmentUpdateNotPermitted',
'message': 'Tenant ID, application ID, principal ID, and scope are not allowed to be updated.'
}
}

I have a scenario, where 3 different types of clients (types of devices) are expected to be able to authenticate against my web app via Azure AD. However, only within the first type (normal browser from a PC environment) are users to be asked to insert their Azure AD username and password to log in. My idea was to create some kind of process which only requires logging in with the Azure AD username and password the first time. Users would use the first type of client for first login, but the process would also work without the username and password from then on; instead users would be able to access the system by the means of username + pin or even by smart-card login.

After some research, the 'Refresh token' term seemed to pop up very often. It seems that the more recent versions of ADAL no longer provide the physical refresh token; so the actual refresh-token could not be saved in some database and then used when logging in from type 2 or type 3 devices. However, the same article also suggests that this Refresh token is now handled automatically by ADAL in cache.

I also found some great sample code that implements persisted ADAL Token Cache inside a MSSQLLocalDB database via Entity Framework.

Essentially my idea is to:

1. Use OpenIDConnect to do the authentication the first time with username and password and save the TokenCache inside the local db
2. When logging in the next time without username and password, retrieve the persisted Token Cache from the local db And use
3. AcquireTokenSilentAsync to login, and have ADAL handle the refresh token logic for me, like it would in an in-cache memory scenario.

Now I am not sure whether my attempt at working-around this (above) is at least on the right track (guide me :) !), but I have noticed that the tenantID, SignedInUserID and UserObjectID used in the below snippet are all retrievable upon the first successful authentication, which prompted me to at least try it out.

Dim clientcred As ClientCredential = New ClientCredential(aadClientId, aadAppKey)
Dim authenticationContext As AuthenticationContext = New AuthenticationContext(aadInstance & tenantId, New ADALTokenCache(SignedInUserID))
Dim authenticationResult As AuthenticationResult = Await authenticationContext.AcquireTokenSilentAsync(aadGraphResourceID, clientcred, New UserIdentifier(UserObjectID, UserIdentifierType.UniqueId))

Note: ADALTokenCache is the constructor of the custom ADALTokenCache class that handles persisting the TokenCache inside the local db.

So I saved these 3 values in my system database and then upon smart-card login I am retrieving them by the username, and then using AcquireTokenSilentAsync as demonstrated above.

I have implemented this solution and have some questions -

1) It seems that the persisted token is retrieved from the local db, and it seems that the authenticationResult object does retrieve the correct values; access token, id token, and User Info! However, it does not seem like that authenticates me/ logs me in. request.IsAuthenticated stays false and I am clueless at what to do next. Is the process wrong or do I need to do something more?

2) The authenticationResult seems to have an expiration date which is always 1 hour from the time of the original token creation. This seems to me like the actual Access token expiration time, but nothing related to the Refresh token expiration is visible within any ADAL related object! So it is quite a tricky situation.

3) ADAL does say that Refresh tokens are handled in cache automatically. But is there something to be configured from the Azure AD configuration side? I have found nothing related to setting up the refresh token or its expiration details inside the Azure portal.

When I invite a guest user to Azure AD in order to provide him access to an Enterprise Application which has set "User assignment required" to YES, the guest user (after registration) gets an error once trying to sign to the application in charge:

Need admin approval
<Enterprise Application Name> YouTrack OnPremise needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

This only happens for guest users (which have not previously signed in to my app successfully) if "User assignment required" is set to yes. Once I set it to no, user can login, it will stay fine for this user even if I set it back to yes afterwards, but not for new guest users. The user(s) in charge was(where) previously assigned to access this enterprise application. The enterprise application is hosted on-premise. I don't know what other permission I need to grant except assigning the user to the respective application.

What am I missing?

kind regards,

Dieter

I want to use Azure AD SSO to grant SSO access to internal applications but access from internal corporate users not remotely. I understand Application proxy can be used to grant remote access to internal applications with SSO but i read that it is not recommended to use application proxy for internal access. What is the best solution to use Azure SSO if i want to grant internal users internal access to on -premise applications with SSO (examples would be password-based on saml applications that are accessed only by users from the corporate network)

thank you

MM

I want to implement provisioning and single sign on (SSO) in my application.

I added the application as follows.

Azure Active Directory admin center
 -> Enterprise applications
 -> New application
 -> Application you're developing

Then I selected the added application from the dashboard and tried to set it.

However, when I try to configure in the "Manage -> Provisioning" menu, I get the following error and can not configure.

"Automatic provisioning for APPNAME is not supported. Use the tools and administrative interfaces provided by APPNAME to provision and de-provision the user account records stored in APPNAME."

Can I do provisioning settings with the application added from "Application you're developing"?

I'm trying to verify the publisher domain of my application but it's not working despite the json file being available when checking the link in a browser.

I suspect it's because the app is listed under 'Applications from personal account', as the error message shown is:

"Verification of publisher domain failed. The application was not found. If the application was just created, wait a few minutes and refresh the page. [62wAT]"

It's a several years old app that's working fine "in the wild" so it's definitely not "just created".

Does anyone know if I'm right that this is the problem and if so whether the app can be moved away from being a personal app? Re-creating it (with a different id) is not currently an option as it's "live".

Hello,

I went to portal.azure.com.   I created a new account e.g. me@extdomain.com  (never used before to sign into MS).    I filled in all the questions for a new account and it said I had $200 in free subscriptions.    I then went to azure active directory, created a new domain - extdomain.com - it asked me to verify the domain so I put in the txt file in my DNS - it said it was verified and I have a happy green check.

I've gone to active director domains and trusts - added the extdomain.com as a UPN suffix.   I've modified user accounts so people can login with username@extdomain.com.

I've installed Azure ad connect on the server.  I open it and it warns me that intdomain.lan is non-routable.

I choose express (even if I select customize, I get stuck at the same next screen)

When I get to the connect to azure AD screen, I fill in the azure portal login I created to set up azure portal

I get the user name or password is incorrect.  Verify your user name and then type your password again.  I know that is the user name and password I sign in to Azure Portal.  

교육청 계정 또는 개인계정으로 Azure활성화 못하나요?

학교이메일의 경우, 학교에서 학교이메일을 보지 못 하게 해서..

따로 가입 할 수 없을까요? 학생인데..

답변 부탁드릴께요.

되도록 한글 부탁드리지만,

영어만 된다면, 번역기라도 쓰지요.

답변을 했다면, ab0389@naver.com로 남겨주세요.

I want to have 2 login providers for my app. Customers would connect with B2C and employees would connect with our AAD by SSO. Currently the B2C login for customers works with a SignIn V2 user flow, and our SSO works just fine for any other applications.

I followed these 2 pages to get started, using the exact same names:

 - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
 - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

They could be clearer but I think I got everything right as far as the XML goes.  When I run my custom policy, I get a page with a login form and a button to connect with the AD. If I click the button, I'm redirected to the SSO page and I log in with my user. The first time I'm asked to accept the permissions. So far so good, but after that I get redirected to https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/authresp, which gives a generic error 500 page. In the B2C Audit log, I see an event"Federate with an identity provider" with "Status: success" for the same datetime as my login so I believe the login works. Similarly, I can see a successful sign-in in the user's page in the AAD.

Is there something more I need to do that the MSDN pages missed? I should be getting redirected to jwt.ms with a token.

Relevant xml files (redacted):
TrustFrameworkBase.xml (only the parts I've modified):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkBase"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase"><!-- snip default building blocks --><ClaimsProviders><ClaimsProvider><DisplayName>Local Account SignIn</DisplayName><TechnicalProfiles><TechnicalProfile Id="login-NonInteractive"><DisplayName>Local Account SignIn</DisplayName><Protocol Name="OpenIdConnect" /><Metadata><Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item><Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item><Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item><Item Key="ProviderName">https://sts.windows.net/mytenantguid/</Item><Item Key="METADATA">https://login.microsoftonline.com/mytenant.onmicrosoft.com/.well-known/openid-configuration</Item><Item Key="authorization_endpoint">https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/token</Item><Item Key="response_types">id_token</Item><Item Key="response_mode">query</Item><Item Key="scope">email openid</Item><!-- Policy Engine Clients --><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="HttpBinding">POST</Item></Metadata><InputClaims><InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" /><InputClaim ClaimTypeReferenceId="password" Required="true" /><InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" /><InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" /><InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" /></InputClaims><OutputClaims><OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" /><OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" /><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /><OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" /><OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" /></OutputClaims></TechnicalProfile></TechnicalProfiles></ClaimsProvider><!-- snip other default claim providers--><!-- snip default user journeys-->	   </TrustFrameworkPolicy>

TrustFrameworkExtension.xml

<?xml version="1.0" encoding="utf-8" ?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkExtensions"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions"><BasePolicy><TenantId>mytenant.onmicrosoft.com</TenantId><PolicyId>B2C_1A_TrustFrameworkBase</PolicyId></BasePolicy><BuildingBlocks></BuildingBlocks><ClaimsProviders><ClaimsProvider><DisplayName>Local Account SignIn</DisplayName><TechnicalProfiles><TechnicalProfile Id="login-NonInteractive"><Metadata><Item Key="client_id">ProxyIdentityExperienceFramework_AppId</Item><Item Key="IdTokenAudience">IdentityExperienceFramework_AppId</Item></Metadata><InputClaims><InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFramework_AppId" /><InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFramework_AppId" /></InputClaims></TechnicalProfile></TechnicalProfiles></ClaimsProvider><ClaimsProvider><Domain>Mycompany</Domain><DisplayName>Login using Mycompany</DisplayName><TechnicalProfiles><TechnicalProfile Id="MycompanyProfile"><DisplayName>Mycompany Employee</DisplayName><Description>Login with your Mycompany account</Description><Protocol Name="OpenIdConnect"/><OutputTokenFormat>JWT</OutputTokenFormat><Metadata><Item Key="METADATA">https://login.windows.net/mytenant.onmicrosoft.com/.well-known/openid-configuration</Item><Item Key="ProviderName">https://sts.windows.net/mytenantguid/</Item><Item Key="client_id">AzureADB2CApp_AppdId</Item><Item Key="IdTokenAudience">AzureADB2CApp_AppdId</Item><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="response_types">code</Item><Item Key="scope">openid</Item><Item Key="response_mode">form_post</Item><Item Key="HttpBinding">POST</Item></Metadata><CryptographicKeys><Key Id="client_secret" StorageReferenceId="B2C_1A_MycompanySecret"/></CryptographicKeys><OutputClaims><OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/><OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/></OutputClaimsTransformations></TechnicalProfile></TechnicalProfiles></ClaimsProvider></ClaimsProviders><UserJourneys><UserJourney Id="SignUpOrSignInMycompany"><OrchestrationSteps><OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinwithpassword"><ClaimsProviderSelections><ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /><ClaimsProviderSelection TargetClaimsExchangeId="MycompanyExchange" /></ClaimsProviderSelections><ClaimsExchanges><ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /></ClaimsExchanges></OrchestrationStep><!-- Check if the user has selected to sign in using one of the social providers --><OrchestrationStep Order="2" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>objectId</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /><ClaimsExchange Id="MycompanyExchange" TechnicalProfileReferenceId="MycompanyProfile" /></ClaimsExchanges></OrchestrationStep><!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). 
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2, then an user account must exist in the directory by this time. --><OrchestrationStep Order="3" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>objectId</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" /></ClaimsExchanges></OrchestrationStep><!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent 
          in the token. --><OrchestrationStep Order="4" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimEquals" ExecuteActionsIf="true"><Value>authenticationSource</Value><Value>socialIdpAuthentication</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /></ClaimsExchanges></OrchestrationStep><OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /></OrchestrationSteps><ClientDefinition ReferenceId="DefaultWeb" /></UserJourney></UserJourneys></TrustFrameworkPolicy>

SignUpOrSigninMycompany.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_signup_signin_mycompany"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_signup_signin_mycompany"><BasePolicy><TenantId>mytenant.onmicrosoft.com</TenantId><PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId></BasePolicy><RelyingParty><DefaultUserJourney ReferenceId="SignUpOrSignInMycompany" /><TechnicalProfile Id="PolicyProfile"><DisplayName>PolicyProfile</DisplayName><Protocol Name="OpenIdConnect" /><OutputClaims><OutputClaim ClaimTypeReferenceId="displayName" /><OutputClaim ClaimTypeReferenceId="givenName" /><OutputClaim ClaimTypeReferenceId="surname" /><OutputClaim ClaimTypeReferenceId="email" /><OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/><OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /></OutputClaims><SubjectNamingInfo ClaimType="sub" /></TechnicalProfile></RelyingParty></TrustFrameworkPolicy>

In the Identity Experience Framework panel, I run B2C_1A_signup_signin_mycompany and choose testapp1 with https://jwt.ms as the repyl url.

I'm trying to add some bearer token verification to my ASP.NET web application. I'm using the built-in JWT authentication code, configured by using the following code ...

services.AddAuthentication(ConfigureAuthentication).AddJwtBearer(ConfigureJwt);

Which runs the following functions ...

private void ConfigureAuthentication(AuthenticationOptions options)
{
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}

private void ConfigureJwt(JwtBearerOptions options)
{
    var directoryId = Configuration["AzureAd:DirectoryId"];
    var directoryName = Configuration["AzureAd:DirectoryName"];
    var policy = Configuration["AzureAd:SigninPolicyName"];

    options.Audience = Configuration["AzureAd:ApplicationId"];
    options.Authority = $"https://{directoryName}.b2clogin.com/{directoryName}.onmicrosoft.com/v2.0";
}

The `ConfigureJwt` method is the one I'm dealing with. I can't seem to get the underlying JWT code to fetch the `openid-configuration` from the appropriate URL. It's very close, but it's lacking the policy from the URL. Here is what my above code generates and tries to fetch the `openid-configuration` from ...

    https://example-directory.b2clogin.com/example-directory.onmicrosoft.com/v2.0/.well-known/openid-configuration

And here is what it is supposed to fetch the configuration from, as specified from the Azure portal ...

    https://example-directory.b2clogin.com/example-directory.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignInPolicy

As you can see, my code above is lacking the policy name.

I can't seem to figure out how to specify this anywhere. Does anybody know how to configure `JwtBearerOptions` so that it includes this policy name?

We are wanting to stop our on premises AD from syncing to our Azure AD domain.
And be left with only our original created Azure AD domain.

I wanted to be sure on the order and steps to do this correctly.

This is what I have so far.

Step 1: From our on premises server we will stop the Azure Ad Connect.
"uninstall an Authentication Agent, uninstall both the Microsoft Azure AD Connect Authentication Agent and the Microsoft Azure AD Connect Agent Updater programs."

Step 2:  Delete from Azure Ad any users from the stopped on premises domain.

Step 3: Delete Custom Domain name in Azure (my on premises AD we were syncing from) and leave the original azure ad domains that are in use.

Hi,

Got a client who deployed AADC with PTA/SSSO using "emailAddress" as the Azure UPN. We want to change this to the best practice config of using the on-prem UPN. Was only able to find the article below in my search for ways to accomplish this post-AADC deployment. Anyone know of a better/simpler way or can at least validate this method is proper?

https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/

If this is the proper method, can anyone advise on the impact of this change (worries me that it ends with running AADC Sync as "Initial")?

I used the following powershell command but to no avail 

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $True