In Azure AD, the UserPrincipalName (UPN) can be manually updated using Set-MsolUserPrincipalName Power Shell cmdlet. The details and syntax are explained here – https://msdn.microsoft.com/en-us/library/azure/dn194135.aspx
One of the common issues you experience during this process is the “Access Denied” error message.
Set-MsolUserPrincipalName : Access Denied. You do not have permissions to call this cmdlet
If you are using Global Administrator account, you should have permission to update user properties. This error message can be little misleading. Most of the time, you will see this error message because of an non-existent UPN name in the “-UserPrincipalName” parameter.
Here are some examples:
As you can see in the following screenshot, I am getting the Set-MsolUserPrincipalName : Access Denied. You do not have permissions to call this cmdlet message here.
I am using a Global Administrator account here. This is because of the non-existent UPN (current UPN of the user from Azure). If you run Get-MsolUser cmdlet, you will see the real error message 🙂 “Get-MsolUser : User Not Found. User: Client2User200@myinfralab.onmicrosoft.com” error message.
You need to verify current Azure UPN before you the Set-MsolUserPrincipalName or you can combine Get-MsolUser and Set-MsolUserPrincipalName cmdlets to include this validation check to get some more meaningful error message.
Get-MsolUser -UserPrincipalName CurrentUPNfromAzure@domain.onmicrosoft.com | Set-MsolUserPrincipalName -NewUserPrincipalName NewUPN@mydomain.com
Also, make sure to verify the Custom Domain in Azure if you are planning to use a custom domain name as UPN.