Remove an unwanted ProxyAddress pattern from users via AADConnect

Remove an unwanted ProxyAddress pattern from users via AADConnect

Remove an unwanted ProxyAddress pattern from users via AADConnect
Rate this post

I had an interesting request from a customer the other day where they were synchronizing Active Directory into two disparate environments–Office 365 and another hosted Exchange environment.  In their new Office 365 environment, they didn’t want any address proxies matching a particular pattern to be part of a user’s proxyAddress array–BUT–they also didn’t want to remove them from their on-premises accounts since they are being used by their other hosting environment as an application routing address.

Fortunately, AADConnect can do this for you.  There are two ways to do it (both through the GUI and via PowerShell).  I’ve provided a PowerShell script that you can run at the end, but we’ll go through the Synchronization Rules Editor way first.

Synchronization Rules Editor

  1. Launch the Synchronization Rules Editor.
  2. Depending on your version of the GUI, the “Inbound” and “Outbound” buttons may have moved, but in the current version, click the “Direction” dropdown, select “Outbound”, and then click “Add new rule.”
  3. On the Description tab, enter a name, a description, and a precedence (number value; lower numbers are higher precedence).
  4. In the Connected System drop-down, select your AAD connector.
  5. In the Connected System Object Type drop-down, select user.
  6. In the Metaverse Object Type drop-down, select person.
  7. In the Link Type drop-down, select Join.
  8. Click Next.
  9. On the Scoping Filter tab, click Next.
  10. On the Join Rules tab, select sourceAnchor from both the Source Attribute and Target Attribute columns.
  11. Click Next.
  12. On the Transformations tab, select Expression under the Flow Type drop-down, select proxyAddresses under the Target Attribute drop-down, and select Update under the Merge Type drop-down.
  13. Copy/paste the following into the Source text area, replacing testpattern with the value you want to replace:
  14. Click Save.


Copy and paste the following into your favorite text editor (Notepad, Notepad++) or ISE (Windows PowerShell ISE, PowerGUI, etc.), save as a .ps1, and then run with the -Pattern parameter to specify the value that you want to filter out and (optionally) the -Precedence parameter (default of 90 will be used) or use the -LowestPrecedence switch to choose the first available lowest value.

Create a new AADConnect rule stripping out unwanted addresses.
    [string]$Precedence = "90"
If ($Lowest)
    [array]$AllRulesPrecedence = (Get-ADSyncRule).Precedence
    $Precedence = (($AllRulesPrecedence | Measure-Object -Minimum).Minimum -1
$RemovePattern = [scriptblock]::Create("`"$Pattern`"")
[string]$Identifier = [Guid]::NewGuid()
[string]$Connector = (Get-ADSyncConnector | ? { $_.Name -like “* - AAD”}).Identifier.ToString()
New-ADSyncRule  `
-Name 'Out to AAD - User Strip Proxy' `
-Identifier $Identifier `
-Description 'Remove Proxy Addresses Pattern' `
-Direction 'Outbound' `
-Precedence $Precedence `
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' `
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' `
-SourceObjectType 'person' `
-TargetObjectType 'user' `
-Connector $Connector `
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule
Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Source @('proxyAddresses') `
-Destination 'proxyAddresses' `
-FlowType 'Expression' `
-ValueMergeType 'Update' `
-Expression "IIF(InStr([proxyAddresses],$RemovePattern,1,vbTextCompare)=0,[proxyAddresses],NULL)" `
-OutVariable syncRule
New-Object  `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList 'sourceAnchor','sourceAnchor',$false `
-OutVariable condition0
Add-ADSyncJoinConditionGroup  `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
Add-ADSyncRule  `
-SynchronizationRule $syncRule[0]
Write-Host "New AD Sync Rule Created:"
Get-ADSyncRule  `
-Identifier $Identifier

You can also download the script directly from the TechNet Gallery at

Reader Comments

  1. Hi Aaron. Excellent article. Are you able to share the syntax for removing more than one proxy address? In other words, instead of matching on just “testpattern”, it would look for a match with “testpattern” or “testpattern2”? I can’t seem to work this out.

    1. Did you try changing the value in the Expression to something like this:


  2. Gr8 Stuff.
    Any idea how I could use this approach for removing unwanted proxyaddresses for Distribution groups and contact objects.?

    1. You’ll need separate rules. Replace ‘user’ and ‘person’ with ‘group’ in the PowerShell or by selecting them in steps 5 and 6. Repeat for contact.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.