Different UPN suffix for a user other than federated domain and try to sync that user

Question

What will happen if you give different UPN suffix for a user other than federated domain and try to sync that user in Azure AD.

Answer 1

I would like to confirm that end user's sign-in experience might be different considering configuration you have for AD Connect.

Let's take following configuration as an example and share 2 possible scenarios with you:

You have 3 domains on local AD out of which 2 are verified on Azure AD.

1. domain.local - Non-Routable local domain.
2. abc.com Sync'd - Federated with AzureAD.
3. xyz.com Sync'd - Managed and verified on AzureAD.

Scenario 1: Optional Features like PHS is not Enabled.

• Lets say if you sync user1@xyz.com from on-prem to Azure AD. User would be created on Azure AD with UPN user1@xyz.com, however user would not be able to login to any Office Service or Azure AD Application with error Incorrect Username or Password.
• Lets say if you sync user3@domain.local from on-prem to Azure AD. User would be created on Azure AD UPN user2@.onmicrosoft.com, however user would not be able to login to any Office Service or Azure AD Application with error Incorrect Username or Password.

Scenario 2: Optional Features like PHS is not Enabled.

• Lets say if you sync user3@xyz.com from on-prem to Azure AD. User would be created on Azure AD with UPN user1@xyz.com, User would be able to login with on-prem username and password on any Office 365 service or Azure AD Application
• Lets say if you sync user3@domain.local from on-prem to Azure AD. User would be created on Azure AD UPN user2@.onmicrosoft.com, User would be able to login with on-prem username and password on any Office 365 service or Azure AD Application.

The only difference in scenario 1 and 2 is usage of Password Hash Sync feature. If password hash sync is enabled, On-Prem user's password hash is sync'd to Azure AD and hence user would be able to Sign-In to Office Service or any Azure AD Application.