This article describes how to remove the SMTP proxy address attribute for a user in Microsoft Entra ID (formerly Azure AD) and assign it to a different user.
Table of Contents
Introduction
The proxy Address attribute in Active Directory is a multi-value property that can contain various known address entries. For example, it can contain SMTP addresses, X500 addresses, SIP addresses, and so on.
When an object is synchronized to Azure AD, the values that are specified in the proxyAddresses attribute in Active Directory are compared with Azure AD rules, and then the proxyAddresses attribute is populated in Azure AD. Therefore, the values of the proxyAddresses attribute for the object in Active Directory may not be the same as the values of the proxyAddresses attribute in Azure AD.
As you probably know, in Exchange Online, we can configure more than one email address for the same mailbox. The additional addresses are called proxy addresses. A proxy address lets a user receive an email that’s sent to a different email address. Any email message sent to the user’s proxy address is delivered to their primary email address, which is also known as the primary SMTP address or the default reply address.
In this article, we will show you how to change the proxy address attribute for a user in Microsoft Entra ID (Azure AD) and use it for a different user.
The issue
We removed an Office 365 license for a user and moved it to another user, and then we added a new email address for the old user to the second user’s mailbox.
When we attempted to save the changes, Exchange Online threw the following error:
Error executing request. An Azure Active Directory call was made to keep the object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Another object with the same value for property proxyAddresses already exists. ConflictingObject: User_1c69c7bf-e4fe-4860-95f6-27f7d9c2151e DualWrite (Graph) RequestId: e67b290d-19bb-4458-9087-2d64467c4787 The issue may be transient and please retry a couple of minutes later. If the issue persists, please see exception members for more information.
Another warning message that we saw for the affected user is the following:
Exchange: The execution of cmdlet ‘Set-SyncMailbox‘ failed. Cloud property value in AAD is different from the value in EXO. Recipient: username, Cloud property name: CloudMSExchRecipientDisplayType, value in AAD: , value in EXO: ACLableMailboxUser. You can wait for Repair Engine to fix it if replaying divergence didn’t work.
Finding the cause
After several hours of waiting, as Microsoft noted (the issue may be transient), the error did not go away.
After a quick look in Azure Active Directory (Azure AD) for the primary user, we found out that the SMTP proxy address is still attached to this user where the O365 license was removed, hence, we cannot add it to the second user mailbox.
The cause of this issue is that the object (attribute) was not synced between Exchange Online and Azure AD. The object that has the same proxy address already exists in Exchange Online.
We tried to edit and remove the SMTP Proxy address in Azure AD, but this is not possible (not editable), as shown in the figure below.
What is the solution, then?
Remove The SMTP Proxy Address
To fix this issue, take the following steps:
First, we need to assign the license back to the primary user and wait until the built-in repair engine fixes it automatically.
Next, you need to add/update the proxy address that’s associated with the primary user (object) in the Exchange admin center under (manage email address types).
Next, we will remove the SMTP proxy address for the first user since we now have two proxy addresses for the primary user in Azure AD and Exchange Online.
Last, we must remove and delete the alias that we don’t want for the primary user and then add it to the second user.
This can be done using the Microsoft 365 admin center portal as follows:
Log into the M365 admin center with an admin account.
Find the primary user and click on it. After the user details open, click on Manage username and email, as shown in the figure below.
Next, you can click on “···” -> Delete alias to remove the SMTP proxy address, as shown in the figure below.
Another option is to use the Exchange Online PowerShell V2 module to remove the SMTP proxy address by taking the following steps:
The Exchange Online PowerShell V2 module (abbreviated as the EXO V2 module) uses modern authentication and works with multi-factor authentication (MFA) for connecting to all Exchange-related PowerShell environments in Microsoft 365.
The latest version of the EXO V2 module is officially supported on PowerShell 7 on Windows, Linux, or Apple macOS.
At the time of writing, we are using ExchangeOnlineManagement version 2.0.5 (GA).
As a side note, starting March 30, 2024, Microsoft will deprecate the Azure AD PowerShell module(s). After this date, the only support offered for these PowerShell modules will be support in migrating to Microsoft Graph PowerShell SDK. Only security fixes will be offered for these PowerShell modules after deprecation is announced. Once these modules are deprecated, they will continue to work for at least six (6) months before being retired.
Take now the following steps. First, install the PowerShell module by running the following command:
Install-Module -Name ExchangeOnlineManagementNext, import the module:
Import-Module ExchangeOnlineManagementNext, you need to connect to Exchange Online PowerShell using modern authentication with or without MFA. This example connects to Exchange Online PowerShell in a Microsoft 365 or Microsoft 365 GCC organization.
Please note that if you are using Office 365 in Germany, China, or US Gov High/DoD, then you need to set the appropriate “-ExchangeEnvironmentName” parameter to specify the Exchange Online environment as documented here.
Connect-ExchangeOnline -UserPrincipalName username@domain.comOnce connected, we need to remove the alias of the primary account by running the following command:
Set-Mailbox username@domain.com -Emailaddresses @{remove="smtpaddress@domain.com"} -ForceLast but not least, remove the license for the first user and then wait a bit before you assign it to the second user.
Next, wait until the warning message is gone for the second user; this will take around 5 minutes to sync. Exchange: The execution of cmdlet Set-SyncMailbox failed. Cloud property value in AAD is different from the value in EXO. You can verify that the sync is completed under the account name of the second user in the Microsoft 365 admin center.
Finally, you can now add the primary email address of the first user to the second user as an additional email address type in the Exchange admin center portal (Manage email address types), or you can use the following PowerShell command to add it:
Set-Mailbox username@domain.com -EmailAddresses @{add="smtpaddress@domain.com"}Hope this helps someone out there!
In Summary
In this quick guide, we showed how to remove the SMTP proxy address attribute for a user in Microsoft Entra ID (Azure AD) in the Microsoft 365 admin center and PowerShell and then resolved the sync issue between Exchange Online and Entra ID.
A primary email address in Microsoft 365 is usually the email address a user was assigned when their account was created. When the user sends an email to someone else, their primary email address typically appears in the From field in email apps. Users can also have more than one email address associated with their Microsoft 365 business account. These additional addresses are called aliases.
More details about the Exchange Online PowerShell V2 module on Microsoft documentation.
Add or remove email addresses for a mailbox in Exchange Online on Microsoft documentation.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
Now tell us how to do it without re-licensing the user that is cloud only.
When you are removing the domain for a migration and you have say a hundred unlicensed users, and only ten licenses.
The IM address becomes corrupt and need to remove or change the sip proxy address.
Hello John, when you’re removing a domain for migration and have unlicensed users who are cloud-only, there are a few steps you can take to handle this situation without re-licensing those users:
1) Identify Cloud-Only Users: First, identify the users who are cloud-only and do not have any on-premises licenses assigned to them.
2) Adjust User Attributes: Since you’re removing the domain for migration, the IM address (SIP proxy address) may become corrupt for these users. To address this, you can adjust the user attributes directly in Microsoft Entra ID using PowerShell or the Azure portal / Microsoft Entra admin center Portal.
3) PowerShell: You can use the following PowerShell script to modify the SIP proxy addresses for these cloud-only users. Here’s a general outline of how you can approach this:
4) Microsoft Entra admin center Portal: Alternatively, you can manually update the SIP proxy address for each user in the portal. Navigate to the user’s profile, locate the proxy address attribute, and edit it accordingly.
5) Verify Changes: After making the necessary changes, verify that the SIP proxy addresses have been updated correctly for each user.
As a side note, starting March 30, 2024, Microsoft will deprecate the Azure AD PowerShell module(s). After this date, the only support offered for these PowerShell modules will be support in migrating to Microsoft Graph PowerShell SDK. Only security fixes will be offered for these PowerShell modules after deprecation is announced. Once these modules are deprecated, they will continue to work for a minimum of six (6) months before being retired.
Hope it helps!