Friday, August 19, 2011

Provisioning mailboxes to Exchange 2010 using FIM 2010 (and the proxyAddresses issue)


When you are using FIM (Forefront Identity Manage) to provision mailboxes to Exchange (in my case Exchange 2010) and would like FIM to generate the e-mail addressen and additional proxyAdresses (aliasses) you will run into an issue!

FIM 2010 is perfectly capable of generating unique e-mail addresses and filling up the multi-value attribute proxyAddresses with all additional aliases you might want. When you look at the contents of the property proxyAddresses in Active Directory you could see something like this:

SMTP: firstname.lastname@domain.com
smtp: <first letter of firstname>.lastname@domain.com
smtp: lastname@domain.com

The fact that the first line has SMTP spelled with capitals mean that this is your default reply address.

As you might know, Exchange 2010 has a default E-mail address policy called “Default Policy”. That contains something like % m@domain.com. This policy cannot be removed nor disabled.

Question: What happens when we provision a mailbox to Exchange2010 using FIM2010 and flow attribute with the content provided earlier (the thee smtp addresses)?

Answer: The mailbox will be created, however because the default e-mail address policy runs, the primary e-mail address (SMTP) will be reset to % m@domain.com! In addition, FIM will return an error stating “exported-change-not-reimported”.

The solution would be to disable the “automatically update e-mail addresses based on e-mail address policy” option. You could do this of course i.e. by using PowerShell. However, you can only do this after the mailbox is created. Within FIM, this would mean customization to able set the option on the mailbox. And you would have to perform the export again to set the correct ProxyAddresses.

There is a way to solve this within one single flow. The Active Directory attribute msExchPoliciesExcluded on the userobject is used to specify whether or not the “automatically update e-mail addresses based on e-mail address policy” option is selected on the mailbox. If the option is selected, this attribute empty and when it is not selected, it contains the value {26491cfc-9e50-4857-861b-0cb8df22b5d7}.

You might have guessed the solution by now, I simply flow the string “{26491cfc-9e50-4857-861b-0cb8df22b5d7}” to the attribute msExchPoliciesExcluded during the creation of the mailbox. By doing so the option is not selected, the Exchange Mailbox policy is not being executed for this user and the proxyAddresses I configured (within the same flow) are correctly set! This is done with code-less provisioning within the existing synchronization rule! See screenshot below.

1 comment:

  1. Hi Freek,
    Can FIM generate\update the primary SMTP address and proxy addresses based on a connected data source?

    Is the above possible without classic sync rules?

    Thanks

    ReplyDelete