Remove-AzureUserProxyAddresses function added to AZSBTools PowerShell module
Many organizations use ADConnect to replicate/synchronize some/all of their Active Directory users and/or computers to their Azure directory. A great deal of transformation occurs to objects as they get replicated from AD to Azure. The schema of the two databases is quite different although some object attributes carry the same names. For example, the ‘user’ object in AD has ‘GivenName’,’SurName’, and ‘DisplayName’ attributes in common with the ‘person’ object in Azure directory. 
One of the user AD attributes is proxyaddresses. Proxyaddresses is a multivalued attribute that is used on users, groups and contacts in order to facilitate mail delivery. It is subject to the following guidelines:
- The primary (sending) mail alias must be prefixed with upper case “SMTP:”.
- Only one value/alias is allowed to have the upper case “SMTP:” prefix.
- Secondary mail aliases must be prefixed with lower case “smtp:”.
- No duplicate values (across all AD objects) are allowed.
In Azure directory, the ‘person’ object also has a proxyaddresses property. However, Azure person proxyaddresses property is a calculated property. Microsoft uses the complex logic described in this article to calculate the Azure person proxyaddresses.
In large organizations with frequent mergers and acquisitions, it’s not uncommon for the AD user proxyaddresses attribute to change over time showing several additions and removals of ‘smtp:’ addresses. ADConnect and the logic Microsoft use to calculate the Azure person proxyaddresses fails to remove ‘smtp:’ addresses that have been removed from the AD user proxyaddresses attribute. This can manifest as end user problems such as failure to login to OneDrive for business, SharePoint Online sites, and the like.
The process to remove unwanted ‘smtp:’ addresses from the Azure person proxyaddresses is as follows:
- On the on-premises ADConnect server stop the ADSync Scheduler as in:
Set-ADSyncScheduler -SyncCycleEnabled $false - Soft delete the Azure person object using Remove-Msoluser PowerShell cmdlet.
- Create a temporary Azure person object for each smtp: address you wish removed, using New-AzureADUser
- Populate the temporary Azure person object proxyaddresses property. One way to do that is to assign it an O365 license using Set-MsolUserLicense which requires setting the person’s ‘usagelocation’ property using Set-AzureADUser cmdlet.
- Restore the deleted user with the cmdlet Restore-MsolUser and the -AutoReconcileProxyConflicts switch.
- Remove the temporary Azure user(s) created during this process.
- Finally, enable the ADSync Scheduler on the ADConnect server using:
Set-ADSyncScheduler -SyncCycleEnabled $true
The new Remove-AzureUserProxyAddresses function of the AZSBTools PowerShell module automates this process. It takes one mandatory parameter; being the samAccountName of the AD user. It does not reach out to the ADConnect server and disable/enable the ADSync Scheduler. You’ll need to do that separately.
To use/update the AZSBTools PowerShell module which is available in the PowerShell Gallery, you can use the following code:
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# PowerShellGallery dropped Ssl3 and Tls as of 1 April 2020
Remove-Module AZSBTools -Force -EA 0
Install-Module AZSBTools -Force -AllowClobber -SkipPublisherCheck # -Scope CurrentUser
Import-Module AZSBTools -DisableNameChecking -Force
Get-Command -Module AZSBTools
You need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type
$PSVersionTable
To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
To trust the Microsoft PowerShell Gallery repository, then
Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser
AZSBTools contains functions that depend on Az module, and they’re typically installed together.
To load the AZSBTools, and Az modules type:
Import-Module AZSBTools,Az -DisableNameChecking
To view a list of cmdlets/functions in AZSBTools, type
Get-Command -Module AZSBTools
To view the built-in help of one of the AZSBTools functions/cmdlets, type
help <function/cmdlet name> -show
such as
help Get-DayOfMonth -show
Sam's Corner 