Remove an unwanted ProxyAddress pattern from users via AADConnect

Remove an unwanted ProxyAddress pattern from users via AADConnect

Be the first to vote!

I had an interesting request from a customer the other day where they were synchronizing Active Directory into two disparate environments–Office 365 and another hosted Exchange environment.  In their new Office 365 environment, they didn’t want any address proxies matching a particular pattern to be part of a user’s proxyAddress array–BUT–they also didn’t want to remove them from their on-premises accounts since they are being used by their other hosting environment as an application routing address.

Fortunately, AADConnect can do this for you.  There are two ways to do it (both through the GUI and via PowerShell).  I’ve provided a PowerShell script that you can run at the end, but we’ll go through the Synchronization Rules Editor way first.

Synchronization Rules Editor

  1. Launch the Synchronization Rules Editor.
  2. Depending on your version of the GUI, the “Inbound” and “Outbound” buttons may have moved, but in the current version, click the “Direction” dropdown, select “Outbound”, and then click “Add new rule.”
  3. On the Description tab, enter a name, a description, and a precedence (number value; lower numbers are higher precedence).
  4. In the Connected System drop-down, select your AAD connector.
  5. In the Connected System Object Type drop-down, select user.
  6. In the Metaverse Object Type drop-down, select person.
  7. In the Link Type drop-down, select Join.
  8. Click Next.
  9. On the Scoping Filter tab, click Next.
  10. On the Join Rules tab, select sourceAnchor from both the Source Attribute and Target Attribute columns.
  11. Click Next.
  12. On the Transformations tab, select Expression under the Flow Type drop-down, select proxyAddresses under the Target Attribute drop-down, and select Update under the Merge Type drop-down.
  13. Copy/paste the following into the Source text area, replacing testpattern with the value you want to replace:
  14. Click Save.


Copy and paste the following into your favorite text editor (Notepad, Notepad++) or ISE (Windows PowerShell ISE, PowerGUI, etc.), save as a .ps1, and then run with the -Pattern parameter to specify the value that you want to filter out and (optionally) the -Precedence parameter (default of 90 will be used) or use the -LowestPrecedence switch to choose the first available lowest value.

Create a new AADConnect rule stripping out unwanted addresses.
    [string]$Precedence = "90"
If ($Lowest)
    [array]$AllRulesPrecedence = (Get-ADSyncRule).Precedence
    $Precedence = (($AllRulesPrecedence | Measure-Object -Minimum).Minimum -1
$RemovePattern = [scriptblock]::Create("`"$Pattern`"")
[string]$Identifier = [Guid]::NewGuid()
[string]$Connector = (Get-ADSyncConnector | ? { $_.Name -like “* - AAD”}).Identifier.ToString()
New-ADSyncRule  `
-Name 'Out to AAD - User Strip Proxy' `
-Identifier $Identifier `
-Description 'Remove Proxy Addresses Pattern' `
-Direction 'Outbound' `
-Precedence $Precedence `
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' `
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' `
-SourceObjectType 'person' `
-TargetObjectType 'user' `
-Connector $Connector `
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule
Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Source @('proxyAddresses') `
-Destination 'proxyAddresses' `
-FlowType 'Expression' `
-ValueMergeType 'Update' `
-Expression "IIF(InStr([proxyAddresses],$RemovePattern,1,vbTextCompare)=0,[proxyAddresses],NULL)" `
-OutVariable syncRule
New-Object  `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList 'sourceAnchor','sourceAnchor',$false `
-OutVariable condition0
Add-ADSyncJoinConditionGroup  `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
Add-ADSyncRule  `
-SynchronizationRule $syncRule[0]
Write-Host "New AD Sync Rule Created:"
Get-ADSyncRule  `
-Identifier $Identifier

You can also download the script directly from the TechNet Gallery at

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Reader Comments

  1. I came up with a workaround where by i filtered one of the email domains from being synced in from AD to the metaverse and filtered the other one from being synced from metaverse to Azure AD.

  2. Hi Aaron. Excellent article. Are you able to share the syntax for removing more than one proxy address? In other words, instead of matching on just “testpattern”, it would look for a match with “testpattern” or “testpattern2”? I can’t seem to work this out.

    1. Did you try changing the value in the Expression to something like this:


      1. Hi Aaron,

        Trying out this expression for 2 proxy addresses and getting an error in the evaluation of the expression

        “SyncRulesEnginenot availablenot available
        Error in evaluation of expression”

        From my research what I think the InStr only supports a single lookup?
        The number 1 in front of vbTextCompare tells it that its looking at Text rather than Binary?

        Have you got this to work?


    1. You’ll need separate rules. Replace ‘user’ and ‘person’ with ‘group’ in the PowerShell or by selecting them in steps 5 and 6. Repeat for contact.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.