Forum Discussion

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Sep 17, 2025

How to update the proxyAddresses of a Cloud-only Entra ID user

I currently have a client with an Entra ID user (not migrated from on-premises) that is cloud-based, but has proxyAddresses values assigned.

Now, I want to update the proxyAddresses through the Graph Explorer and have used this link as a guide: https://learn.microsoft.com/en-us/answers/questions/2280046/entra-connect-sync-blocking-user-creation-due-to-h.

Now this guide is suggesting you can use the BETA model and this URL format...

  • https://graph.microsoft.com/beta/users/%USERGUID%

It states you can use that URL to do both 'GET' and 'PATCH' queries - the PATCH query being the one that will change the settings. You have to put forth a body for the proxyAddresses property in the PATCH query, which represents all of the addresses you want the user to utilise as proxy addresses.

Now the GET query works...

The PATCH query does not...

Screenshot provided:

Now, regarding the error message, I have applied ALL possible permissions in the 'Modify Permissions' tab. It is still erroring,

Now I cannot use Exchange Online PowerShell, as the user does not have a mailbox!

Aside from potentially using a license for Exchange Online or provisioning a mailbox for the user, and making the necessary changes, would the only other option be to delete/recreate the user?

1 Reply

  • Even though the Graph API allows you to read the proxyAddresses property via GET, modifying it with PATCH often fails for cloud-only users without Exchange Online. This is because:

    • The proxyAddresses attribute is tightly coupled with Exchange Online.
    • Without a mailbox, the backend doesn’t expose full write access to that attribute, even via Graph

     

    Option 1: Provision an Exchange Online License

    Assign the user an Exchange Online license, which will provision a mailbox. Once that's done, you'll be able to manage proxyAddresses using Exchange Online PowerShell or Graph API. This gives you full control over mail-related attributes, but it does come with licensing costs and setup time.

    Option 2: Recreate the User

    Delete and recreate the user with the correct proxyAddresses values from the start. This ensures a clean configuration, but it can be risky, you might lose group memberships, app assignments, and audit history unless you carefully reassign everything.

Resources