Looking for script module to keep UPN insync with Email attribute

The domain name of our AD forest does not match the second half of our e-mail addresses - i.e. Domain FQDN = internal.company.us and SMTP Addresses are @company.com.

Now that we are looking to enable hybrid modern authentication with Microsoft 365, we want to make sure that user's UPN always matches the value of the Primary SMTP Address of the account (attribute Mail).

Our delegated administrators will be able to customize SMTP address, so I thought the cleanest way to do this would be:

1) run a script to change all UPNs to match Mail attribute

2) use a Policy Object to enforce a Script Policy to make the change on actions like onPostModify, onPostCreate, etc.

I figure it has to be a onPost-type script module because it will need to set the value before it can read it. (During testing - I see that when ProxyAddresses is updated, ARS also updates the Mail attribute, so that's why I'm using that one)

I've got the onPostCreate function partially working but trying to check if the User object is a mailbox (by looking at value of homeMDB) before continuing to run the script.

Wondering if folks have done this before.

Parents
  • The mail attribute only changes if the primary SMTP address is modified.  Changes to secondary proxies will not update it so your idea of watching for changes to 'mail' is sound.

    You really don't need a script - a Change Workflow that traps a change to mail and updates the UPN using a property setting activity will give you a codeless solution.

    Just curious - how are you handling the situation of user rename?  The UPN prefix could be affected by this as could their e-mail (IF you allow that to propagate, some orgs do not).  In that case, your tenant.onmicrosoft... addresses could need updating too.  Just putting that out there for your consideration.

Reply
  • The mail attribute only changes if the primary SMTP address is modified.  Changes to secondary proxies will not update it so your idea of watching for changes to 'mail' is sound.

    You really don't need a script - a Change Workflow that traps a change to mail and updates the UPN using a property setting activity will give you a codeless solution.

    Just curious - how are you handling the situation of user rename?  The UPN prefix could be affected by this as could their e-mail (IF you allow that to propagate, some orgs do not).  In that case, your tenant.onmicrosoft... addresses could need updating too.  Just putting that out there for your consideration.

Children