•
•
•
•
•
•

I had an interesting request from a customer the other day where they were synchronizing Active Directory into two disparate environments–Office 365 and another hosted Exchange environment.  In their new Office 365 environment, they didn’t want any address proxies matching a particular pattern to be part of a user’s proxyAddress array–BUT–they also didn’t want to remove them from their on-premises accounts since they are being used by their other hosting environment as an application routing address.

Fortunately, AADConnect can do this for you.  There are two ways to do it (both through the GUI and via PowerShell).  I’ve provided a PowerShell script that you can run at the end, but we’ll go through the Synchronization Rules Editor way first.

#### Synchronization Rules Editor

1. Launch the Synchronization Rules Editor.
2. Depending on your version of the GUI, the “Inbound” and “Outbound” buttons may have moved, but in the current version, click the “Direction” dropdown, select “Outbound”, and then click “Add new rule.”
3. On the Description tab, enter a name, a description, and a precedence (number value; lower numbers are higher precedence).
5. In the Connected System Object Type drop-down, select user.
6. In the Metaverse Object Type drop-down, select person.
7. In the Link Type drop-down, select Join.
8. Click Next.
9. On the Scoping Filter tab, click Next.
10. On the Join Rules tab, select sourceAnchor from both the Source Attribute and Target Attribute columns.
11. Click Next.
12. On the Transformations tab, select Expression under the Flow Type drop-down, select proxyAddresses under the Target Attribute drop-down, and select Update under the Merge Type drop-down.
13. Copy/paste the following into the Source text area, replacing testpattern with the value you want to replace:
IIF(InStr([proxyAddresses],"testpattern",1,vbTextCompare)=0,[proxyAddresses],NULL)
14. Click Save.

PowerShell

Copy and paste the following into your favorite text editor (Notepad, Notepad++) or ISE (Windows PowerShell ISE, PowerGUI, etc.), save as a .ps1, and then run with the -Pattern parameter to specify the value that you want to filter out and (optionally) the -Precedence parameter (default of 90 will be used) or use the -LowestPrecedence switch to choose the first available lowest value.

<#
#>
param(
[string]$Pattern, [switch]$LowestPrecedence,
[string]$Precedence = "90" ) If ($Lowest)
{
[array]$AllRulesPrecedence = (Get-ADSyncRule).Precedence$Precedence = (($AllRulesPrecedence | Measure-Object -Minimum).Minimum -1 }$RemovePattern = [scriptblock]::Create(""$Pattern"") [string]$Identifier = [Guid]::NewGuid()
[string]$Connector = (Get-ADSyncConnector | ? {$_.Name -like “* - AAD”}).Identifier.ToString()
-Name 'Out to AAD - User Strip Proxy' 
-Identifier $Identifier  -Description 'Remove Proxy Addresses Pattern'  -Direction 'Outbound'  -Precedence$Precedence 
-PrecedenceAfter '00000000-0000-0000-0000-000000000000'
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' 
-SourceObjectType 'person'
-TargetObjectType 'user' 
-Connector $Connector  -LinkType 'Join'  -SoftDeleteExpiryInterval 0  -ImmutableTag ''  -OutVariable syncRule Add-ADSyncAttributeFlowMapping  -SynchronizationRule$syncRule[0] 
-Destination 'proxyAddresses' 
-FlowType 'Expression'
-ValueMergeType 'Update' 
-Expression "IIF(InStr([proxyAddresses],$RemovePattern,1,vbTextCompare)=0,[proxyAddresses],NULL)"  -OutVariable syncRule New-Object  -TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition'  -ArgumentList 'sourceAnchor','sourceAnchor',$false 
-OutVariable condition0
-SynchronizationRule $syncRule[0]  -JoinConditions @($condition0[0])
-OutVariable syncRule
Add-ADSyncRule  
-SynchronizationRule $syncRule[0] Write-Host "New AD Sync Rule Created:" Get-ADSyncRule  -Identifier$Identifier`

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

1. Graham says:

I came up with a workaround where by i filtered one of the email domains from being synced in from AD to the metaverse and filtered the other one from being synced from metaverse to Azure AD.

2. Alexei Segundo says:

Hi Aaron. Excellent article. Are you able to share the syntax for removing more than one proxy address? In other words, instead of matching on just “testpattern”, it would look for a match with “testpattern” or “testpattern2”? I can’t seem to work this out.

1. Aaron Guilmette says:

Did you try changing the value in the Expression to something like this:

1. Graham says:

Hi Aaron,

Trying out this expression for 2 proxy addresses and getting an error in the evaluation of the expression

“SyncRulesEnginenot availablenot available
Error in evaluation of expression”

From my research what I think the InStr only supports a single lookup?
The number 1 in front of vbTextCompare tells it that its looking at Text rather than Binary?

https://docs.microsoft.com/en-us/dotnet/api/microsoft.visualbasic.strings.instr?view=netframework-4.8#Microsoft_VisualBasic_Strings_InStr_System_String_System_String_Microsoft_VisualBasic_CompareMethod_

Have you got this to work?

Cheers,

3. Bose Jose says:

Gr8 Stuff.
Any idea how I could use this approach for removing unwanted proxyaddresses for Distribution groups and contact objects.?

1. Aaron Guilmette says:

You’ll need separate rules. Replace ‘user’ and ‘person’ with ‘group’ in the PowerShell or by selecting them in steps 5 and 6. Repeat for contact.

This site uses Akismet to reduce spam. Learn how your comment data is processed.