When a recipient is synchronized to Azure Active Directory the proxy addresses that are assigned to the recipient are determined by a process called ProxyCalc. The synchronization process stores the on-premises Active Directory values in shadow values within Azure Active Directory. The ProxyCalc process reads the shadow values and calculates the actual proxy address values visible in Azure Active Directory. At the conclusion of this calculation the values are synchronized into the recipient in Exchange Online. The rules for ProxyCalc may be found in the following article: How the proxyAddresses attribute is populated in Azure AD – Active Directory | Microsoft Learn.
I recently worked on an escalation with a customer that presented an interesting scenario involving ProxyCalc. All users who’s user principal name differed from their primary SMTP address also had a secondary SMTP address in Azure Active Directory of the user principal name. Unlike examples contained within the previously cited document the users were fully provisioned with mail, mailNickName, and proxyAddresses submitted through the synchronization process. In addition, the secondary address appeared regardless of the license status of the user. This seems inconsistent with the scenarios outlined in the cited documentation where adding the UPN as a secondary proxy address appears to occur during licensing scenarios.
The remote mailbox is provisioned in the on-premises Active Directory. The user principal name is different from the primary SMTP address and does not appear in the proxy addresses attribute of the recipient.
[PS] C:\>Get-RemoteMailbox UPNTest | fl userPrincipalName,primarySMTPAddress,emailAddresses
UserPrincipalName : UPNTest@domain.net
PrimarySmtpAddress : UPNTest@domain.com
EmailAddresses : {x500:/o=ExchangeLabs/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=a0b7e9472d3b4f678b47d62d2908575e-f80c3258-a7,
SMTP:UPNTest@domain.com}
When reviewing the properties of the user in Azure Active Directory the proxy addresses show that the user principal name was added as a secondary address.
PS C:\> Get-MsolUser -UserPrincipalName upntest@domain.net | fl userPrincipalName,ProxyAddresses
UserPrincipalName : UPNTest@domain.net
ProxyAddresses : {smtp:UPNTest@domain.net, smtp:UPNTest@domain.onmicrosoft.com, SMTP:UPNTest@domain.com}
This did confirm that the user principal name was added as a secondary proxy regardless of the licensed status of the user <or> the attributes submitted through the directory synchronization process.
This is by design. The user principal name will always appear as a proxy address on mail recipient. The user principal name cannot be removed from the recipient unless the user principal name is changed on-premises. This essentially reserves this from use on any other mail enabled object.