PowerShell CMDLET Limitations

It was recently discovered that when new user accounts are set up in AD and then synchronized with Azure AD Connect, there is some ‘guessing’ that happens around default email address assignment if proper proxyAddresses attributes are not manually added. Essentially it appears that Microsoft 365 will set the user’s UPN or samAccountName as the default/primary SMTP address.

That’s fine normally, because typically that’s the email address you would normally assign the user. That is, until the account is updated with MFA registration information, at which point the default address automatically becomes the @tenant.onmicrosoft.com extension. Then it becomes a big problem as the onmicrosoft.com domain is not typically routable.

When we uncovered this undocumented feature we realized that we were going to have to update all AD accounts where the proxyAddresses attribute field was left blank. Except, how to search for something that isn’t there on hundreds of accounts?

I discovered through a lot of trail and error that not all operators work with all cmdlets. Get-ADUser, for example, can handle -filter options of -eq -like -match, but cannot handle -ceq -clike or -cmatch, and has no concept at all of -notlike or -notequal. Suddenly the search become considerably more difficult.

I know there’s going to be a lot of PowerShell experts out there who’ll look at this and say “there’s a better way” but this was the best I could come up with:

get-aduser -filter ‘enabled -eq $true’ -Properties Name,DisplayName,SamAccountName,SurName,GivenName,UserPrincipalName,proxyaddresses | `
Select-Object Name, DisplayName, SamAccountName, Surname, GivenName, UserPrincipalName, `
@{n = “proxyAddress”; e = { $_.proxyAddresses | Where-object { $_ -clike “SMTP:*” } } }

I exported the results to a CSV file, then used Excel’s Data –> Filter option to filter out all found SMTP entries, leaving only blanks, which gave me the list of accounts to fix.

I was actually hoping to also find a way to filter out all the system accounts, but was satisfied with the AD ‘enabled’ accounts.

By admin|2021-02-18T12:26:17-08:00February 18th, 2021|Microsoft Office 365, Microsoft Server, PowerShell|Comments Off

About the Author: admin

An IT Specialist with humble beginnings at an ISP here in BC in 1996. Since then WiReDWoLF has expanded his knowledge and expertise in many areas of the IT field and is proficient with networking, applications, servers, and general application of all of the above.