Call4Cloud

Azure AD Connect: Escape to Proxy Addresses

This blog will be about some stuff you need to beware of when you are setting up Azure AD Connect. It’s a topic I haven’t written a lot about but after a discussion with a colleague, I decided I needed to write a blog about it. To give you a small hint: proxyAddresses

I will divide this blog into multiple parts.

  1. Introduction
  2. Preparation
  3. proxyAddresses
  4. Azure AD Connect and the Attributes
  5. PowerShell Scripts

1. Introduction

As always I need to explain the situation a little bit to get it all clear about what we were trying to accomplish.

Some time ago we were called in to do an assessment of a new customer. While doing this assessment we noticed that luckily this customer was already using Exchange Online.

In the past, their Data and Exchange environments were scattered around different locations with no connection between them. The company devices to migrate all of their exchange environments to Exchange Online first. After a while, they also moved their data and legacy apps to a centralized cloud environment.

The customer is also still bound to some legacy apps they still can’t get rid of. Migrating to a cloud-only solution with multiple legacy apps could cost you some more time. Of course, they have an option to go Hybrid but that’s not something I prefer. If anyone is interested, In the past I wrote a huge blog about how you could transform your organization to Full Cloud without the need for Hybrid and still could get SSO to your on-premises legacy apps

To get this SSO working you could use Azure AD Connect. There are numerous other solutions that you can use to achieve this, but roughly 98% of organizations synchronizing objects and their attributes from Active Directory to Azure AD use Azure AD Connect. I guess we can all guess what was missing: Azure AD Connect.

Our first advice was to install Azure AD Connect, to get rid of the evil password prompt issues with Teams. Of course, it’s also a good place to start when you want to migrate to AADJ in the near future!

2. Preparation

Before installing Azure AD Connect, we always need to do some preparation because you don’t want to end up with some weird issues. Luckily Microsoft has already written some nice documentation about the prerequisites and how to start the installation.

Azure AD Connect: Prerequisites and hardware | Microsoft Docs

I am afraid to say so but this blog isn’t going to show you a “Step By Step” guide on how to install Azure AD connect because a lot of other people have already explained this but still I want to point out some stuff and no, not the ImmutableID

Before I am going to show you the issue, I want to show you the IDFix tool.

This wonderful tool will help you to fix some possible attribute errors you could run into. As shown above, it could help you out fixing some duplicate mail attribute errors but what about the proxyAddresses?

When installing Azure AD Connect with an existing Exchange Online/ Azure AD environment you could end up with some challenges and one of them could be the proxyAddresses Attribute

3. proxyAddresses

Looking at the proxyAddresses attribute it’s best described as an attribute in the Active Directory. It could contain multiple values defining the primary SMTP address and possible additional SMTP addresses. Besides the SMTP address, this attribute could also contain X500 addresses, SIP addresses, etc.

Looking at the picture above, you will notice SMTP with capital and non-capital characters. Let me explain them first

SMTP:user@domain.com  –> Primary SMTP address

smtp:user@domain.com –> Additional/Secondary SMTP address

When comparing the proxyAddresses to the mail attribute, you will immediately spot the difference!

As shown above, the mail attribute can only contain one mail address and no additional mail addresses. So if you had a nice Exchange Environment, the proxyAddresses attribute will be filled with your additional email addresses.

4. Azure AD Connect and the Attributes

We made sure we followed all nice step-by-step guides to set up Azure AD Connect. Those step-by-step guides will tell you, you will need to check if the user’s UPN matches the Microsoft 365 username and will tell you to run the IDFix tool. After running the IDFix tool and fixing some other errors we still needed to make sure some other important attributes were configured correctly and you can guess which attribute.

Before we started we also made sure we created a full export of the Azure AD users and all of their attributes to manually compare them to the export we did from the Active Directory.

When opening both of the CSV exports we immediately noticed the fact that the proxyAddresses attribute on the Active Directory was missing for like 75% when comparing it with Azure AD.

I guess we have some work to do, because when using Azure AD Connect you need to make sure there aren’t any duplicate proxyAddresses attributes configured and you also need to make sure the proxyAddresses that are configured, will match the email addresses configured in Azure AD.

Because normally all attributes (so that means also the proxyAddresses attribute) in Azure AD will be overwritten with a value from the Active Directory when Azure AD Connect is configured. Of course, on every rule, there is an exception! When an Active Directory attribute is “Not Configured” or has a NULL value the attribute in Azure AD will NOT be overwritten!

Let me explain with a picture to get it a little more obvious clear.

*When we have an Active Directory user with a mail attribute: rudy@wvdcloud.nl and a not configured proxyAddresses attribute the additional email addresses in Azure AD will not be overwritten. When the Azure AD user has an additional email address: info@wvdcloud.nl, that email address will still be configured

*When a user has an Active Directory mail attribute rudy@wvdcloud.nl and only 1 proxyAddresses attribute: rudy@wvdcloud.nl the additional email address in Azure AD will be removed. So when the Azure AD user had an additional email address: info@wvdcloud.nl, that additional email address will be removed and the object will be marked as “On-premises managed”

So pretty please, before running Azure AD connect please make sure everything matches. You really don’t want to end up in a situation when 75% of the Azure AD users had their additional email addresses suddenly removed

5. The PowerShell Scripts

The First PowerShell script that I am going to show you, would be the one we used to make sure all of the proxyAddresses attributes would match the ones configured in Azure AD.

Connect-MsolService
$results = @()
$onlineusers = Get-MsolUser -All  | Select-Object UserprincipalName,ImmutableID,WhenCreated,LastDirSyncTime, proxyaddresses 
foreach($user in $onlineusers){

    foreach($proxyaddress in $user.proxyaddresses){

    			$properties = [ordered]@{
				Gebruikersnaam = $user.UserPrincipalName
				Proxyaddress = $proxyaddress
			}
						
			$results  += New-Object PSObject -Property $properties
                Set-ADUser $user.UserPrincipalName -add @{ProxyAddresses=$proxyaddress}
    } 
}

And the second Powershell Script will detect if there is any proxyAddresses attribute configured with the local domain (@domein.local) in it and if so it will remove them.

ForEach ($Object In $Objects){
    $proxyAddresses = $Object.proxyAddresses
    ForEach ($proxyAddress In $proxyAddresses){
        If ($proxyAddress -Like '*@domein.local'){
            Write-Host $Object.DistinguishedName `t $proxyAddress 
            Set-ADObject $Object -Remove @{ProxyAddresses = "$($proxyAddress)"}
        }
    }
}

Conclusion:

If all of your migrations are greenfield migrations you are good to go but if that’s not the case you need to beware of some rules. If the proxyAddresses attribute is NOT configured in the Active Directory, the additional email addresses are NOT removed in Azure AD when running Azure AD Connect!

Rules GIFs | Tenor

2 thoughts on “Azure AD Connect: Escape to Proxy Addresses

    1. Hi Nithyanandham

      I am trying to contact you regarding one of your Microsoft cases, sorry this is the only way I know how to get a hold of you. Can you please email me?

      chau.le@birdrockusa.com

Leave a Reply

Your email address will not be published. Required fields are marked *

5  +  5  =