Last active
September 7, 2018 15:54
-
-
Save jschlackman/bdcfda94c258d87326c71799e0ef4613 to your computer and use it in GitHub Desktop.
For organizations that use Azure AD Connect but have never had on-premises Exchange, check msDS-cloudExtensionAttribute1 attribute for the word "hidden" and use that to set msExchHideFromAddressLists in Azure, since the msExchHideFromAddressLists is not present in AD.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| New-ADSyncRule ` | |
| -Name 'In from AD - Use msDS-cloudExtensionAttribute1 instead of msExchHideFromAddressLists' ` | |
| -Identifier '57244c63-9b0d-45bc-a107-3a35b427037d' ` | |
| -Description 'Check msDS-cloudExtensionAttribute1 attribute for the word "hidden" and use that to set msExchHideFromAddressLists, since the msExchHideFromAddressLists is not present in AD' ` | |
| -Direction 'Inbound' ` | |
| -Precedence 50 ` | |
| -PrecedenceAfter '00000000-0000-0000-0000-000000000000' ` | |
| -PrecedenceBefore '00000000-0000-0000-0000-000000000000' ` | |
| -SourceObjectType 'user' ` | |
| -TargetObjectType 'person' ` | |
| -Connector '9eaf2836-92d8-41df-a724-52dcce95e50d' ` | |
| -LinkType 'Join' ` | |
| -SoftDeleteExpiryInterval 0 ` | |
| -ImmutableTag '' ` | |
| -OutVariable syncRule | |
| Add-ADSyncAttributeFlowMapping ` | |
| -SynchronizationRule $syncRule[0] ` | |
| -Source @('msDS-cloudExtensionAttribute1') ` | |
| -Destination 'msExchHideFromAddressLists' ` | |
| -FlowType 'Expression' ` | |
| -ValueMergeType 'Update' ` | |
| -Expression 'IIF(IsNullOrEmpty([msDS-cloudExtensionAttribute1]),False,IIF([msDS-cloudExtensionAttribute1]="hidden",True,False))' ` | |
| -OutVariable syncRule | |
| New-Object ` | |
| -TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition' ` | |
| -ArgumentList 'mail','','ISNOTNULL' ` | |
| -OutVariable condition0 | |
| Add-ADSyncScopeConditionGroup ` | |
| -SynchronizationRule $syncRule[0] ` | |
| -ScopeConditions @($condition0[0]) ` | |
| -OutVariable syncRule | |
| Add-ADSyncRule ` | |
| -SynchronizationRule $syncRule[0] | |
| Get-ADSyncRule ` | |
| -Identifier '57244c63-9b0d-45bc-a107-3a35b427037d' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is an alternative to the Microsoft-suggested solution of extending the AD schema using Exchange setup without actually installing Exchange, or the messy workaround of disabling sync for the individual account, changing the setting in Exchange Online, then re-enabling sync (this method involves some downtime for the user as it deletes the account in Azure, which has to be recovered from the Recycle Bin).
The msDS-cloudExtensionAttribute1 attribute is added to the on-premises AD schema by Azure AD Sync by default during setup, but is not used or synced to Azure by default. This method therefore only involves adding an Azure AD Connect sync rule, with no additional schema modification or workarounds required. The only downside is that it will need to be fully documented within the organization as it is using a non-standard attribute.