No announcement yet.

trying to update proxy addresses in AADSync 365 domain via PS

  • Filter
  • Time
  • Show
Clear All
new posts

  • trying to update proxy addresses in AADSync 365 domain via PS

    and its kicking my ass. i will preface this with i am not a scripting master, but i know how to hack up stuff enough to make it work, but this one is driving me crazy...

    #Import Modules
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
    Import-Module ActiveDirectory
    #Set a password
    $securePassword = ConvertTo-SecureString "pass4FMH!" -AsPlainText -Force
    ## Prompt for CSV path
    $filepath = Read-Host -Prompt "Enter CSV path"
    #Import The file into varibles...
    $users = Import-Csv $filepath
    #loop and gather data
    ForEach ($user in $users) {
        #Gather user info
        $fname = $user.'First Name'
        $lname = $user.'Last Name'
        $dname = $user.DisplayName
        $name = $user.Name
        $sam = $user.SAM
        $OU = $user.OU
        $email = $user.Email
        $logon = $user.SAM
        $description = $user.Description
         #create new AD user for each item in CSV
          New-ADUser -Name "$fname $lname" -GivenName $fname -Surname $lname -UserPrincipalName "$sam" -Path $OU -EmailAddress $email -Description $description -Enabled $true -AccountPassword $SecurePassword
        #echo output for each user
         echo "Account created for $fname $lname with $logon in $OU folder"

    so i have this crazy tenant and their are about 50 domains parsed out... i have to specify the primary and secondary smtp addresses for all this to work, so i am trying to add the field for "proxyAddresses" but i cant get it to do more than the primary email address. i would like the script to populate the field in ADUC advanced view, Attribute Editor: SMTP[email protected] smtp:[email protected], smtp:[email protected], etc etc...

    so what do i have to do to get it to populate that field and secondly, how do i format it to create new entries. i tried just separating with a comma by hacking things up but i ended up with an email address like "[email protected],[email protected]" like one single address...

    this last place we acquired has been a hastle cause i have a couple hundred addresses to update with the other domain.. like we got a place that is actually 2 stores, so the users would like to have a secondary address for that location as well as their primary... which i dont normally do and i thought it would be easier to fix with a script (so long as i can get it to work). i just dont get the separate entries in that field and/or how to pull this off in PS.

    thanks in advance!

    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

  • #2
    You should probably be doing this in the Exchange Management Shell rather than Active Directory.

    New-AdUser won't give you the required fields you want to edit.

    Actually it would probably be better using the Exchange Online module rather than EMS.

    Maybe something like this to get you started??

    #New-ADUser -Name $Username `
    #-GivenName $FirstName `
    #-Surname $Lastname `
    #-Manager $Manager `
    #-Office $Office `
    #-Country $Country `
    #New-RemoteMailbox -UserPrincipalName $EmailAddress `
    #-Alias "User1Test" `
    #-Name "User1 Test" `
    #-FirstName $FirstName `
    #-LastName $LastName `
    #-DisplayName $UserName `
    #-OnPremisesOrganizationalUnit "Office 365 Users" `
    #-Password (ConvertTo-SecureString "EnterPasswordHere" -AsPlainText -Force) `
    #-ResetPasswordOnNextLogon $true
    Obviously remove the # and fit to suit. I've taken this from a test script of mine.


    • #3
      due to the inability of the users to be trusted with accounts, i dont have write back on the 365 tenant.. the passswords sync, but i must create all user accounts from the DC. i dont really manage the tenant thru PS, just get stats and force delete users...

      hmmm. will have to figure out something for the future. thanks for the reply either way.
      its easier to beg forgiveness than ask permission.
      Give karma where karma is due...


      • #4
        Had you considered making your script a 2-stage process? Seems to me I ended up running into the same type of problem, where you create the account, save that, and THEN set the password. In your case, you create the user account in 1 step, the go back and read all the attributes of the account for the rest, and set appropriate values. Might not work, but you never know. As wullieb1 said, this would be better handled thru Exchange, tho. I have no experience with 365, so take my suggestion with a grain of salt?
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **


        • #5
          Will they give you access to the EMS at all??

          Have you tried to login to your tenant on the 365 side of things using PS?

          What you have to remember is that even though you can set the email ID in AD it will re-populate when you set the exchange email attributes.


          • #6
            i think you are correct, it seems like i have to do things in 2 stages.. and creating the accounts is the first step, then i can probably get the attributes on the second pass. i think (and im just guessing at this) the attributes have different names on each side.. like in AD its proxyAddresses and in 365 it an alias, idk.. seems like i should just be able to do it all at once, but i have not had that luck as of yet.

            i have not had any luck creating the accounts on the 365 powershell side at all.. only from AAD powershell on the local side. im just going to try to test with some csv and see if i can find some consistency to my failure.
            its easier to beg forgiveness than ask permission.
            Give karma where karma is due...


            • #7
              IIRC the ProxyAddresses are set when the exchange attributes are populated and the user gets assigned them and its an exchange thing rather than an AD thing. These are populated when the Recipient Polices run. Its been a while since i've had to worry about exchange things like this.



              On our side of the business we will typically generate a user account on-prem with the details required. We will then generate an onprem mailbox which will generate all the required ProxyAddresses and exchange attributes. This is then synced to 365 and we will migrate the user to there.

              This is what i use to generate a new user account on prem

              New-ADUser -Name $Username `
                  -GivenName $FirstName `
                  -Surname $Lastname `
                  -Manager $Manager `
                  -Office $Office ` #(This must be populated as the Recipient policies use this to generate the correct email addresses)
                  -Country $Country `
              I'll then use Enable-Mailbox to enable the mailbox for an existing user


              I'll then do a migration, only when the user account has synced, in our case this can take 3 hours.

              New-MoveRequest -Identity $UserMig `
                  -Remote -RemoteHostName <HYBRID-SERVER>`
                  -TargetDeliveryDomain <TENANT-DETAILS>
                  -RemoteCredential $ONPREMCREDS
                  -BadItemLimit 9000


              • #8
                ok, so that being said i should actually run the import to AD, then run a secondary script on the 365 powershell.. that makes a lot of sense. it seems like the internal AD isnt getting some attributes that would normally get picked up in EMS. that makes this much easier.. granted still 2 runs instead of 1, but that may be why it was failing on the second runs internally.

                this is the biggest piece of the puzzle i think i was missing. i will give it a shot and see what happens.
                its easier to beg forgiveness than ask permission.
                Give karma where karma is due...


                • #9
                  That's correct. Your AD account can be an AD account without having any exchange attributes. Only when you decide to attach a mailbox will the account then get the correct attributes from AD.

                  As i said earlier its heaps easier if you have access to all the consoles as you can just flow from one right into another in the same script.