Remove an unwanted ProxyAddress pattern from users via AADConnect


I had an interesting request from a customer the other day where they were synchronizing Active Directory into two disparate environments–Office 365 and another hosted Exchange environment.  In their new Office 365 environment, they didn’t want any address proxies matching a particular pattern to be part of a user’s proxyAddress array–BUT–they also didn’t want to remove them from their on-premises accounts since they are being used by their other hosting environment as an application routing address.

Fortunately, AADConnect can do this for you.  There are two ways to do it (both through the GUI and via PowerShell).  I’ve provided a PowerShell script that you can run at the end, but we’ll go through the Synchronization Rules Editor way first.

Synchronization Rules Editor

  1. Launch the Synchronization Rules Editor.
  2. Depending on your version of the GUI, the “Inbound” and “Outbound” buttons may have moved, but in the current version, click the “Direction” dropdown, select “Outbound”, and then click “Add new rule.”
  3. On the Description tab, enter a name, a description, and a precedence (number value; lower numbers are higher precedence).
  4. In the Connected System drop-down, select your AAD connector.
  5. In the Connected System Object Type drop-down, select user.
  6. In the Metaverse Object Type drop-down, select person.
  7. In the Link Type drop-down, select Join.
  8. Click Next.
  9. On the Scoping Filter tab, click Next.
  10. On the Join Rules tab, select sourceAnchor from both the Source Attribute and Target Attribute columns.
  11. Click Next.
  12. On the Transformations tab, select Expression under the Flow Type drop-down, select proxyAddresses under the Target Attribute drop-down, and select Update under the Merge Type drop-down.
  13. Copy/paste the following into the Source text area, replacing testpattern with the value you want to replace:
    IIF(InStr([proxyAddresses],"testpattern",1,vbTextCompare)=0,[proxyAddresses],NULL)
  14. Click Save.

PowerShell

Copy and paste the following into your favorite text editor (Notepad, Notepad++) or ISE (Windows PowerShell ISE, PowerGUI, etc.), save as a .ps1, and then run with the -Pattern parameter to specify the value that you want to filter out and (optionally) the -Precedence parameter (default of 90 will be used) or use the -LowestPrecedence switch to choose the first available lowest value.

<#
Create a new AADConnect rule stripping out unwanted addresses.
#>
param(
    [string]$Pattern,
    [switch]$LowestPrecedence,
    [string]$Precedence = "90"
    )
If ($Lowest)
    {
    [array]$AllRulesPrecedence = (Get-ADSyncRule).Precedence
    $Precedence = (($AllRulesPrecedence | Measure-Object -Minimum).Minimum -1
    }
$RemovePattern = [scriptblock]::Create("`"$Pattern`"")
[string]$Identifier = [Guid]::NewGuid()
[string]$Connector = (Get-ADSyncConnector | ? { $_.Name -like “* - AAD”}).Identifier.ToString()
New-ADSyncRule  `
-Name 'Out to AAD - User Strip Proxy' `
-Identifier $Identifier `
-Description 'Remove Proxy Addresses Pattern' `
-Direction 'Outbound' `
-Precedence $Precedence `
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' `
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' `
-SourceObjectType 'person' `
-TargetObjectType 'user' `
-Connector $Connector `
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule
Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Source @('proxyAddresses') `
-Destination 'proxyAddresses' `
-FlowType 'Expression' `
-ValueMergeType 'Update' `
-Expression "IIF(InStr([proxyAddresses],$RemovePattern,1,vbTextCompare)=0,[proxyAddresses],NULL)" `
-OutVariable syncRule
New-Object  `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList 'sourceAnchor','sourceAnchor',$false `
-OutVariable condition0
Add-ADSyncJoinConditionGroup  `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
Add-ADSyncRule  `
-SynchronizationRule $syncRule[0]
Write-Host "New AD Sync Rule Created:"
Get-ADSyncRule  `
-Identifier $Identifier

You can also download the script directly from the TechNet Gallery at https://gallery.technet.microsoft.com/AADConnect-Rule-to-Remove-a922e82a.

Comments (1)