diff --git a/api-reference/beta/resources/user.md b/api-reference/beta/resources/user.md
index e99a9306404..3acebbeb05c 100644
--- a/api-reference/beta/resources/user.md
+++ b/api-reference/beta/resources/user.md
@@ -226,17 +226,17 @@ This resource supports:
| mobilePhone | String | The primary cellular telephone number for the user. Read-only for users synced from the on-premises directory.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values) and `$search`.|
| mySite | String | The URL for the user's site.
Returned only on `$select`. |
| officeLocation | String | The office location in the user's place of business. Maximum length is 128 characters.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). |
-| onPremisesDistinguishedName | String | Contains the on-premises Active Directory `distinguished name` or `DN`. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only. |
-| onPremisesDomainName | String | Contains the on-premises `domainFQDN`, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only. |
+| onPremisesDistinguishedName | String | Contains the on-premises Active Directory `distinguished name` or `DN`. |
+| onPremisesDomainName | String | Contains the on-premises `domainFQDN`, also called dnsDomainName synchronized from the on-premises directory. |
|onPremisesExtensionAttributes|[onPremisesExtensionAttributes](onpremisesextensionattributes.md)|Contains extensionAttributes1-15 for the user. These extension attributes are also known as Exchange custom attributes 1-15.
For an **onPremisesSyncEnabled** user, the source of authority for this set of properties is the on-premises and is read-only. For a cloud-only user (where **onPremisesSyncEnabled** is `false`), these properties can be set during the creation or update of a user object. For a cloud-only user previously synced from on-premises Active Directory, these properties are read-only in Microsoft Graph but can be fully managed through the Exchange Admin Center or the Exchange Online V2 module in PowerShell.
Supports `$filter` (`eq`, `ne`, `not`, `in`). |
| onPremisesImmutableId | String | This property associates an on-premises Active Directory user account to their Microsoft Entra user object. This property must be specified when creating a new user account in the Graph if you're using a federated domain for the user's `userPrincipalName` (UPN) property. **Note:** The **$** and **\_** characters can't be used when specifying this property.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`). |
| onPremisesLastSyncDateTime | DateTimeOffset | Indicates the last time at which the object was synced with the on-premises directory; for example: "2013-02-16T03:04:54Z". The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`). |
| onPremisesProvisioningErrors | [onPremisesProvisioningError](onpremisesprovisioningerror.md) collection | Errors when using Microsoft synchronization product during provisioning.
Supports `$filter` (`eq`, `not`, `ge`, `le`).|
-| onPremisesSamAccountName | String | Contains the on-premises `sAMAccountName` synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`).|
-| onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the user synchronized from on-premises to the cloud. Read-only. Supports `$filter` (`eq` including on `null` values). |
+| onPremisesSamAccountName | String | Contains the on-premises `sAMAccountName` synchronized from the on-premises directory.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`).|
+| onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the user synchronized from on-premises to the cloud. Must be in the format of SID, such as "S-1-5-21-1180699209-877415012-3182824384-1006". Supports `$filter` (`eq` including on `null` values). |
|onPremisesSipInfo|[onPremisesSipInfo](../resources/onpremisessipinfo.md)|Contains all on-premises Session Initiation Protocol (SIP) information related to the user. Read-only.|
| onPremisesSyncEnabled | Boolean | `true` if this user object is currently being synced from an on-premises Active Directory (AD); otherwise, the user isn't being synced and can be managed in Microsoft Entra ID. Read-only.
Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). |
-| onPremisesUserPrincipalName | String | Contains the on-premises `userPrincipalName` synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`). |
+| onPremisesUserPrincipalName | String | Contains the on-premises `userPrincipalName` synchronized from the on-premises directory.
Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`). |
| otherMails | String collection | A list of additional email addresses for the user; for example: `["bob@contoso.com", "Robert@fabrikam.com"]`.
NOTE: This property can't contain accent characters.
Supports `$filter` (`eq`, `not`, `ge`, `le`, `in`, `startsWith`, `endsWith`, `/$count eq 0`, `/$count ne 0`). |
| passwordPolicies | String | Specifies password policies for the user. This value is an enumeration with one possible value being `DisableStrongPassword`, which allows weaker passwords than the default policy to be specified. `DisablePasswordExpiration` can also be specified. The two may be specified together; for example: `DisablePasswordExpiration, DisableStrongPassword`. For more information on the default password policies, see [Microsoft Entra password policies](/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts).
Supports `$filter` (`ne`, `not`, and `eq` on `null` values).|
| passwordProfile | [passwordProfile](passwordprofile.md) | Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the **passwordPolicies** property. By default, a strong password is required.
Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values).
To update this property:
In delegated access, the calling app must be assigned the *Directory.AccessAsUser.All* delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the *User.ReadWrite.All* (least privilege) or *Directory.ReadWrite.All* (higher privilege) application permission *and* at least the *User Administrator* [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json).|
diff --git a/changelog/Microsoft.DirectoryServices.json b/changelog/Microsoft.DirectoryServices.json
index bbb515d9947..43edc6d5ad9 100644
--- a/changelog/Microsoft.DirectoryServices.json
+++ b/changelog/Microsoft.DirectoryServices.json
@@ -1,5 +1,23 @@
{
"changelog": [
+ {
+ "ChangeList": [
+ {
+ "Id": "c6f4eb0f-746a-4a71-827e-da8585b89c64",
+ "ApiChange": "Resource",
+ "ChangedApiName": "user",
+ "ChangeType": "Change",
+ "Description": "Changed the following on-prem synced properties of the [user](https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-beta) resource type that were read-only in Microsoft Graph to be updatable via Microsoft Graph: **onPremisesDistinguishedName**, **onPremisesDomainName**, **onPremisesSamAccountName**, **onPremisesSecurityIdentifier**, **onPremisesUserPrincipalName**.",
+ "Target": "user"
+ }
+ ],
+ "Id": "c6f4eb0f-746a-4a71-827e-da8585b89c64",
+ "Cloud": "Prod",
+ "Version": "beta",
+ "CreatedDateTime": "2024-10-01T16:45:20.304139Z",
+ "WorkloadArea": "User",
+ "SubArea": ""
+ },
{
"ChangeList": [
{
diff --git a/concepts/whats-new-overview.md b/concepts/whats-new-overview.md
index 7ddfecb0a90..52c702a70c2 100644
--- a/concepts/whats-new-overview.md
+++ b/concepts/whats-new-overview.md
@@ -16,6 +16,17 @@ For details about previous updates to Microsoft Graph, see [Microsoft Graph what
> [!IMPORTANT]
> Features in _preview_ status are subject to change without notice, and might not be promoted to generally available (GA) status. Don't use preview features in production apps.
+## October 2024: New in preview only
+
+### Users
+
+Changed the following on-prem synced properties of the [user](/graph/api/resources/user?view=graph-rest-beta&preserve-view=true) resource type that were read-only in Microsoft Graph to be updatable via Microsoft Graph:
+- onPremisesDistinguishedName
+- onPremisesDomainName
+- onPremisesSamAccountName
+- onPremisesSecurityIdentifier
+- onPremisesUserPrincipalName
+
## September 2024: New and generally available
### Change notifications