Use AADConnect to add a Proxy Address


* UPDATE* After doing this originally, I decided to take a different route and write it back to the on-premises AD, so that way, the objects are synchronous.  This post now reflects the updated content.

A few weeks ago, I had an issue where I needed to remove a proxy address from the proxyAddresses array of a user being synchronized to Office 365.  This week, I have exactly the *opposite* requirement (for the same customer, no less)–add a proxy address for users that aren’t already stamped.

Fortunately, AADConnect can also do this for you.  As with most things these days, there are two ways to skin the cat (both through the GUI and via PowerShell).  I’ve provided a PowerShell script that you can run at the end, but we’ll go through the Synchronization Rules Editor way first.

Synchronization Rules Editor

  1. Launch the Synchronization Rules Editor.
  2. Depending on your version of the GUI, the “Inbound” and “Outbound” buttons may have moved, but find a place to select the “Direction” Outbound and click on it, and then click “Add new rule.”
  3. On the Description tab, enter a name, a description, and a precedence (number value; lower numbers are higher precedence).
  4. In the Connected System drop-down, select your AD connector.
  5. In the Connected System Object Type drop-down, select user.
  6. In the Metaverse Object Type drop-down, select person.
  7. In the Link Type drop-down, select Join.
  8. Click Next.
  9. On the Scoping Filter tab, Add Group, and then click Add Clause.
  10. Under Attribute, select mailNickname.
  11. Under Operator, select ISNOTNULL.
  12. Click Next.
  13. On the Transformations tab, select Expression under the Flow Type drop-down, select proxyAddresses under the Target Attribute drop-down, and select Merge under the Merge Type drop-down.
  14. Copy/paste the following into the Source text area, replacing newproxyaddressdomain.com with the value you want to add:
    IIF(InStr([proxyAddresses],"newproxyaddressdomain.com",1,vbTextCompare)=1,[proxyAddresses],"smtp:" & [mailNickname] & "@newproxyaddressdomain.com")
  15. Click Save.

PowerShell

Copy and paste the following into your favorite text editor (Notepad, Notepad++) or ISE (Windows PowerShell ISE, PowerGUI, etc.), save as a .ps1, and then run with the -NewProxyAddressDomain parameter to specify the value that you want to filter out and (optionally) the -Precedence parameter (or use the -LowestPrecedence parameter to automatically select the lowest available precedence).

<#
Create a new AADConnect rule to add a new proxy address.
#>
param(
    [switch]$LowestPrecedence,
    [string]$NewProxyAddressDomain,
    [string]$Precedence = "90"
    )
$NewProxy = [scriptblock]::Create("`"$NewProxyAddressDomain`"")
[string]$Identifier = [Guid]::NewGuid().ToString()
[string]$Connector = (Get-ADSyncConnector | ? { $_.ConnectorTypeName -eq "AD" }).Identifier.ToString()
If ($Lowest)
    {
    [array]$AllRulesPrecedence = (Get-ADSyncRule).Precedence
    $Precedence = (($AllRulesPrecedence | Measure-Object -Minimum).Minimum -1)
    }
New-ADSyncRule  `
-Name 'Out to AD - Add Proxy Address' `
-Identifier $Identifier `
-Description '' `
-Direction 'Outbound' `
-Precedence $Precedence `
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' `
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' `
-SourceObjectType 'person' `
-TargetObjectType 'user' `
-Connector $Connector `
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule


Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Source @('proxyAddresses','mailNickname') `
-Destination 'proxyAddresses' `
-FlowType 'Expression' `
-ValueMergeType 'MergeCaseInsensitive' `
-Expression "IIF(InStr([proxyAddresses],$NewProxy,1,vbTextCompare)=1,[proxyAddresses],""smtp:"" & [mailNickname] & ""@"" & $NewProxy)" `
-OutVariable syncRule


New-Object  `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition' `
-ArgumentList 'mailNickname','','ISNOTNULL' `
-OutVariable condition0


Add-ADSyncScopeConditionGroup  `
-SynchronizationRule $syncRule[0] `
-ScopeConditions @($condition0[0]) `
-OutVariable syncRule


Add-ADSyncRule  `
-SynchronizationRule $syncRule[0]


Get-ADSyncRule  `
-Identifier $Identifier

If your users are already in connector space, you’ll need to tickle them (so they appear as “changed and will get picked up by the AD Delta Import run) or run a Full Synchronization to trigger the rule to run.

You can also pick this up at my TechNet Gallery page.

 

Comments (8)

  1. richard says:

    Hi Aaron – I’m trying to achieve something similar, I hope you can help 🙂

    We’re currently using an expression in the outbound rule for proxyaddresses of: “SMTP:” & [givenName] & “.” & [sn] & “@mydomain1.com” (mydomain1 doesn’t exist in the source AD, this is a new domain for 365)

    I need to add a second proxyaddress and I thought I’d be able to use: “SMTP:” & [givenName] & “.” & [sn] & “@mydomain1.com” & “;smtp:” & [givenName] & “.” & [sn] & “@mydomain2.com

    But this fails and switches the primary emails back to the onmicrosoft.com one. I’m guessing this is because 365 is expecting a multi-part string rather than a single one?

    So when I came across your article, you used merge, I thought great!… but if I try and use my original rule with a merge rule, I get a sync error with . “Cannot flow attribute when the mappings contain both Merge and Replace rules to the same attribute”

    Any idea how I can get that second proxy address in?

    So I set up a second rule to

    1. So, it sounds like you have two rules acting on the proxyAddress attribute. If you’re adding a proxyAddress in this situation, I’d suggest writing it as an outbound sync rule to Active Directory (as opposed to AAD). That way, AAD is synchronous with what’s in AD, and, in the event that you rebuild/lose AAD, the objects that you sync to Office 365 will have all of the addresses you’re looking for.

      If you search a connector space for an object and then Preview he object (and Preview Synchronization), you should be able to see which rules are acting against a given attribute.

      1. Hi Aaron, many thanks for the reply. I did (after a lot of coffee!) actually find an alternate solution using the split function which does it for us, but I’ll certainly take a look at your recommendations on Monday.

        Split (“SMTP:” & [givenName] & “.” & [sn] & “@domain1.com*” & “smtp:” & [givenName] & “.” & [sn] & “@domain2.co.uk”,”*”)

        This enabled me to format the string into a multi-string value.

        Cheers. r 🙂

        1. That’s a creative use of Split. 🙂

          1. Yes it seems to do the job though! 🙂

            On another note, short of pestering you on your blog 🙂 – how do we get hold of people at MS that actually know & support AD Azure connect? – I waited 5 days to hear back from ms ‘cloud signature support’ that ‘this isn’t supported’. Do we need some kind of enterprise agreement?

          2. Premier should support it Premier does not support modifying default rules. I’m not familiar with people in the Signature Cloud Support offering, but if you have a particular question, I’ll be happy to try to help out. My email is first . last @ microsoft.com.

          3. richard says:

            Awesome many thanks for your help. I’ll certainly pester you next time I get stuck 🙂

Skip to main content