• State Verified Answer
  • Replies 5 replies
  • Subscribers 62 subscribers
  • Views 2419 views
  • Users 0 members are here
Options
Related

Looking for script module to keep UPN insync with Email attribute

david_standish
over 3 years ago

The domain name of our AD forest does not match the second half of our e-mail addresses - i.e. Domain FQDN = internal.company.us and SMTP Addresses are @company.com.

Now that we are looking to enable hybrid modern authentication with Microsoft 365, we want to make sure that user's UPN always matches the value of the Primary SMTP Address of the account (attribute Mail).

Our delegated administrators will be able to customize SMTP address, so I thought the cleanest way to do this would be:

1) run a script to change all UPNs to match Mail attribute

2) use a Policy Object to enforce a Script Policy to make the change on actions like onPostModify, onPostCreate, etc.

I figure it has to be a onPost-type script module because it will need to set the value before it can read it. (During testing - I see that when ProxyAddresses is updated, ARS also updates the Mail attribute, so that's why I'm using that one)

I've got the onPostCreate function partially working but trying to check if the User object is a mailbox (by looking at value of homeMDB) before continuing to run the script.

Wondering if folks have done this before.

Parents
  • 0 over 3 years ago

    The mail attribute only changes if the primary SMTP address is modified.  Changes to secondary proxies will not update it so your idea of watching for changes to 'mail' is sound.

    You really don't need a script - a Change Workflow that traps a change to mail and updates the UPN using a property setting activity will give you a codeless solution.

    Just curious - how are you handling the situation of user rename?  The UPN prefix could be affected by this as could their e-mail (IF you allow that to propagate, some orgs do not).  In that case, your tenant.onmicrosoft... addresses could need updating too.  Just putting that out there for your consideration.

  • 0 over 3 years ago in reply to JohnnyQuest

    Thanks for weighing in JohnnyQuest. I'll look at the Change Workflow - I was thinking the OnPost was the easiest way. Yep, renaming accounts becomes trickier with the onmicrosoft.com address. I have all of those elements in our test plan and we're taking a look at the various ways an account will be updated and if there is something more that  needs to be done.

  • +1 over 3 years ago in reply to david_standish

    The Change Workflow is functionally the same thing - you can have the workflow activities occur before and/or after a modification takes place.  I find that workflows are more "self documenting" than script policies and easier for customers to understand as they are very visual.  I only wish that for customers' sake, the built-in Activities were better documented.

  • 0 over 3 years ago in reply to JohnnyQuest

    I hear that on documentation. Looking at the workflow options initially, it looks like UPN has to be handled via UPNPrefix and UPNSuffix. I'm not worried about the complexity of coding the solution. the other challenge I didn't mention is that the SMTP address might end in @company1.com or @company2.com, etc.... since we handle a lot of SMTP domains. Will play around with it and post my solution when I have one.

  • 0 over 3 years ago in reply to JohnnyQuest

    Thanks for the tip, so I've got the workflow figured out to make this happen - I set up two workflows - one for Create User operation and another for Modify User Properties. The only other use case I can imagine that I can't figure out is - a user that is created without a mailbox initially - when you do Exchange Tasks > Create User Mailbox, it does not change the UPN. I would expected that to trigger the Modify User Properties workflow. Not the end of the world, but looking to see if there is another way to trigger this - sometimes user accounts are created initially without mailboxes in our environment.

Reply
  • 0 over 3 years ago in reply to JohnnyQuest

    Thanks for the tip, so I've got the workflow figured out to make this happen - I set up two workflows - one for Create User operation and another for Modify User Properties. The only other use case I can imagine that I can't figure out is - a user that is created without a mailbox initially - when you do Exchange Tasks > Create User Mailbox, it does not change the UPN. I would expected that to trigger the Modify User Properties workflow. Not the end of the world, but looking to see if there is another way to trigger this - sometimes user accounts are created initially without mailboxes in our environment.

Children
No Data