AD Connect attribute-based filter on proxyaddresses

Copper Contributor



I would like to create an attribute-based filter. The goal is to only synchronize users with a proxyaddresses ending with, and


However, after reviewing the documentation from the link below, I am left with more questions.


I was thinking about implementing a "positive filter"


The section for "positive filter" states that we must, "override the default filter in the out-of-box rule In from AD - User Join"


After examining the default rule "In from AD - User Join" that rule has a link type set to Provision.

However, the example states to set the link type to join. That default rule appears to filter out critical system objects and a few other accounts so I want to make sure I don't mess things up.


I'm not sure if I should just leave this rule in place and create rules with a lower precedence, duplicate, disable the original rule,  follow the instructions and change the link type, or do something else completely.


Seems like it might be something fairly common to do, filter based on the proxyaddresses attribute but I can seem to find much on this topic. 


Anyone have any ideas?


3 Replies

Hi @notmynamehere,


You should be able to add them in on user join rule.






You don't need to add the tenant suffix to the filter.


Hope this helps,




I tried this, however, it doesn't appear to filter correctly.


Doing this appears to remove all accounts.


Hi again @notmynamehere,


You have to create two SEPERATE rules for those two different suffixes. And you can add even more rules if needed.






My apologies if I didn't explain myself enough.


Hopefully this helps,