Use AADConnect to add a Proxy Address

* UPDATE* After doing this originally, I decided to take a different route and write it back to the on-premises AD, so that way, the objects are synchronous.  This post now reflects the updated content.

A few weeks ago, I had an issue where I needed to remove a proxy address from the proxyAddresses array of a user being synchronized to Office 365.  This week, I have exactly the *opposite* requirement (for the same customer, no less)--add a proxy address for users that aren't already stamped.

Fortunately, AADConnect can also do this for you.  As with most things these days, there are two ways to skin the cat (both through the GUI and via PowerShell).  I've provided a PowerShell script that you can run at the end, but we'll go through the Synchronization Rules Editor way first.

Synchronization Rules Editor

  1. Launch the Synchronization Rules Editor.

  2. Depending on your version of the GUI, the "Inbound" and "Outbound" buttons may have moved, but find a place to select the "Direction" Outbound and click on it, and then click "Add new rule."

  3. On the Description tab, enter a name, a description, and a precedence (number value; lower numbers are higher precedence).

  4. In the Connected System drop-down, select your AD connector.

  5. In the Connected System Object Type drop-down, select user.

  6. In the Metaverse Object Type drop-down, select person.

  7. In the Link Type drop-down, select Join.

  8. Click Next.

  9. On the Scoping Filter tab, Add Group, and then click Add Clause.

  10. Under Attribute, select mailNickname.

  11. Under Operator, select ISNOTNULL.

  12. Click Next.

  13. On the Transformations tab, select Expression under the Flow Type drop-down, select proxyAddresses under the Target Attribute drop-down, and select Merge under the Merge Type drop-down.

  14. Copy/paste the following into the Source text area, replacing newproxyaddressdomain.com with the value you want to add:

     IIF(InStr([proxyAddresses],"newproxyaddressdomain.com",1,vbTextCompare)=1,[proxyAddresses],"smtp:" & [mailNickname] & "@newproxyaddressdomain.com")
    
  15. Click Save.

PowerShell

Copy and paste the following into your favorite text editor (Notepad, Notepad++) or ISE (Windows PowerShell ISE, PowerGUI, etc.), save as a .ps1, and then run with the -NewProxyAddressDomain parameter to specify the value that you want to filter out and (optionally) the -Precedence parameter (or use the -LowestPrecedence parameter to automatically select the lowest available precedence).

 <#
Create a new AADConnect rule to add a new proxy address.
#>
param(
    [switch]$LowestPrecedence,
    [string]$NewProxyAddressDomain,
    [string]$Precedence = "90"
    )
$NewProxy = [scriptblock]::Create("`"$NewProxyAddressDomain`"")
[string]$Identifier = [Guid]::NewGuid().ToString()
[string]$Connector = (Get-ADSyncConnector | ? { $_.ConnectorTypeName -eq "AD" }).Identifier.ToString()
If ($Lowest)
    {
    [array]$AllRulesPrecedence = (Get-ADSyncRule).Precedence
    $Precedence = (($AllRulesPrecedence | Measure-Object -Minimum).Minimum -1)
    }
New-ADSyncRule  `
-Name 'Out to AD - Add Proxy Address' `
-Identifier $Identifier `
-Description '' `
-Direction 'Outbound' `
-Precedence $Precedence `
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' `
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' `
-SourceObjectType 'person' `
-TargetObjectType 'user' `
-Connector $Connector `
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule


Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Source @('proxyAddresses','mailNickname') `
-Destination 'proxyAddresses' `
-FlowType 'Expression' `
-ValueMergeType 'MergeCaseInsensitive' `
-Expression "IIF(InStr([proxyAddresses],$NewProxy,1,vbTextCompare)=1,[proxyAddresses],""smtp:"" & [mailNickname] & ""@"" & $NewProxy)" `
-OutVariable syncRule


New-Object  `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition' `
-ArgumentList 'mailNickname','','ISNOTNULL' `
-OutVariable condition0


Add-ADSyncScopeConditionGroup  `
-SynchronizationRule $syncRule[0] `
-ScopeConditions @($condition0[0]) `
-OutVariable syncRule


Add-ADSyncRule  `
-SynchronizationRule $syncRule[0]


Get-ADSyncRule  `
-Identifier $Identifier

If your users are already in connector space, you'll need to tickle them (so they appear as "changed and will get picked up by the AD Delta Import run) or run a Full Synchronization to trigger the rule to run.

You can also pick this up at my TechNet Gallery page.