Udostępnij za pośrednictwem


Remove an unwanted ProxyAddress pattern from users via AADConnect

I had an interesting request from a customer the other day where they were synchronizing Active Directory into two disparate environments--Office 365 and another hosted Exchange environment.  In their new Office 365 environment, they didn't want any address proxies matching a particular pattern to be part of a user's proxyAddress array--BUT--they also didn't want to remove them from their on-premises accounts since they are being used by their other hosting environment as an application routing address.

Fortunately, AADConnect can do this for you.  There are two ways to do it (both through the GUI and via PowerShell).  I've provided a PowerShell script that you can run at the end, but we'll go through the Synchronization Rules Editor way first.

Synchronization Rules Editor

  1. Launch the Synchronization Rules Editor.

  2. Depending on your version of the GUI, the "Inbound" and "Outbound" buttons may have moved, but in the current version, click the "Direction" dropdown, select "Outbound", and then click "Add new rule."

  3. On the Description tab, enter a name, a description, and a precedence (number value; lower numbers are higher precedence).

  4. In the Connected System drop-down, select your AAD connector.

  5. In the Connected System Object Type drop-down, select user.

  6. In the Metaverse Object Type drop-down, select person.

  7. In the Link Type drop-down, select Join.

  8. Click Next.

  9. On the Scoping Filter tab, click Next.

  10. On the Join Rules tab, select sourceAnchor from both the Source Attribute and Target Attribute columns.

  11. Click Next.

  12. On the Transformations tab, select Expression under the Flow Type drop-down, select proxyAddresses under the Target Attribute drop-down, and select Update under the Merge Type drop-down.

  13. Copy/paste the following into the Source text area, replacing testpattern with the value you want to replace:

     IIF(InStr([proxyAddresses],"testpattern",1,vbTextCompare)=0,[proxyAddresses],NULL)
    
  14. Click Save.

PowerShell

Copy and paste the following into your favorite text editor (Notepad, Notepad++) or ISE (Windows PowerShell ISE, PowerGUI, etc.), save as a .ps1, and then run with the -Pattern parameter to specify the value that you want to filter out and (optionally) the -Precedence parameter (default of 90 will be used) or use the -LowestPrecedence switch to choose the first available lowest value.

 <#
Create a new AADConnect rule stripping out unwanted addresses.
#>
param(
    [string]$Pattern,
    [switch]$LowestPrecedence,
    [string]$Precedence = "90"
    )
If ($Lowest)
    {
    [array]$AllRulesPrecedence = (Get-ADSyncRule).Precedence
    $Precedence = (($AllRulesPrecedence | Measure-Object -Minimum).Minimum -1
    }
$RemovePattern = [scriptblock]::Create("`"$Pattern`"")
[string]$Identifier = [Guid]::NewGuid()
[string]$Connector = (Get-ADSyncConnector | ? { $_.Name -like “* - AAD”}).Identifier.ToString()
New-ADSyncRule  `
-Name 'Out to AAD - User Strip Proxy' `
-Identifier $Identifier `
-Description 'Remove Proxy Addresses Pattern' `
-Direction 'Outbound' `
-Precedence $Precedence `
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' `
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' `
-SourceObjectType 'person' `
-TargetObjectType 'user' `
-Connector $Connector `
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule
Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Source @('proxyAddresses') `
-Destination 'proxyAddresses' `
-FlowType 'Expression' `
-ValueMergeType 'Update' `
-Expression "IIF(InStr([proxyAddresses],$RemovePattern,1,vbTextCompare)=0,[proxyAddresses],NULL)" `
-OutVariable syncRule
New-Object  `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList 'sourceAnchor','sourceAnchor',$false `
-OutVariable condition0
Add-ADSyncJoinConditionGroup  `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
Add-ADSyncRule  `
-SynchronizationRule $syncRule[0]
Write-Host "New AD Sync Rule Created:"
Get-ADSyncRule  `
-Identifier $Identifier

You can also download the script directly from the TechNet Gallery at https://gallery.technet.microsoft.com/AADConnect-Rule-to-Remove-a922e82a.

Comments

  • Anonymous
    June 21, 2016
    Great stuffThanks
  • Anonymous
    December 18, 2017
    Gr8 Stuff.Any idea how I could use this approach for removing unwanted proxyaddresses for Distribution groups and contact objects.?
    • Anonymous
      January 02, 2018
      You'll need separate rules. Replace 'user' and 'person' with 'group' in the PowerShell or by selecting them in steps 5 and 6. Repeat for contact.
  • Anonymous
    January 16, 2018
    Hi Aaron. Excellent article. Are you able to share the syntax for removing more than one proxy address? In other words, instead of matching on just "testpattern", it would look for a match with "testpattern" or "testpattern2"? I can't seem to work this out.
    • Anonymous
      January 17, 2018
      Did you try changing the value in the Expression to something like this:IIF(InStr([proxyAddresses],"testpattern"||"testpattern2",1,vbTextCompare)=0,[proxyAddresses],NULL)