I got the script down to less than 100 lines. 3,000+ accounts have their UPNs verified and remediated so they'll be compliant with our SSO and bizarrely restricted selective group-sync. Tested against sandbox accounts and sandbox tennant to ensure transparency...

"Systems architect": "Not a lot of code there for 3 days work..."