SharePoint 2013

Managing SharePoint 2013 with PowerShell: Working with Alternate Access Mappings

SharePoint provides a lot of options for handling your ability to present your SharePoint resources to your users.  Making connections from the internal network or from across the Internet, you can make fine-tuned adjustments to the way that people can connect to your SharePoint sites. These fine-tuned adjustments that allow people to connect to your sites in multiple ways are made available through Alternate Access Mappings (AAM). This article shows you how to manage Alternate Access Mappings in SharePoint 2013 using PowerShell.

(Editor’s note: Be sure to check out our previous articles, “Managing SharePoint 2013 with PowerShell: Creating a Search Application” and “Managing SharePoint 2013 with PowerShell: Working with Timer Jobs.”)

Alternate Access Mappings (AAM): Introduction

Each web application in SharePoint can be presented with up to five public URLs. For instance, you might have allowed both “intranet.local” and “” to make connections to your SharePoint 2013 portal. The public URLs are URLs that SharePoint displays through links. Each of the public URLs must be assigned one of the five available zones. You have to have a public URL assigned to the zone titled “Default” but the others are just friendly labels that can be used in whatever fashion it makes sense to you and your organization. The other zones are “Internet,” “Intranet,” “Extranet,” and “Custom.” Tip: You can remember public URLs as the addresses that are displayed by SharePoint to the users.

Each public URL has at least one internal URL that corresponds to it. The internal URLs are the addresses that SharePoint 2013 accepts and are bound to the SharePoint web application in IIS. Note that only the default zone that you create when you create the web application is added to the IIS bindings for the site in IIS. Any other alternate access mappings you create have to be created in the bindings list for the site.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

By default, when you create a public URL it also creates an internal URL in the same zone. This is great because it bridges the connection that you assume will be there. With both an internal and public URL for “hr.intranet.local” in the same zone, a user can type in hr.intranet.local to get to their SharePoint 2013 site, and SharePoint will recognize it as an internal URL. Then, since it’s recognized as an internal URL, SharePoint displays the public URL registered to the same zone back to the user in the address bar and in the links displayed on the SharePoint sites.

And since you can have multiple internal URLs pointed to the same public URL, you can work some magic with changing the results that people type in. This can be very helpful for teaching your users that they don’t have to type in the FQDN for the SharePoint site or for enforcing HTTPS on a SharePoint web application.

Managing Alternate Access Mappings in SharePoint 2013 with PowerShell

You can use PowerShell to manage all aspects of your Alternate Access Mappings in SharePoint 2013. You can use the following cmdlets to control your internal and public URLs: Get-SPAlternateURL, New-SPAlternateURL, Set-SPAlternateURL, and Remove-SPAlternateURL.

List Alternate Access Mappings with PowerShell

Using the Get-SPAlternateURL cmdlet, you can find the existing AAM settings for a web application.

Managing Alternate Access Mappings in SharePoint 2013 get-SPAlternateURL

You can also limit the results by zone, web application, or a mapped external resource through the use of the zone, webapplication, and resource parameters. The zone parameter can be used by itself or with either the webapplication or resource parameter, but the webapplication and resource parameters cannot be used together.

​ Get-SPAlternateURL –WebApplication “http://portal.intranet.local” –Zone “Default”


Creating a New Alternate Access Mapping with PowerShell

Alternate Access Mappings can be created with the New-SPAlternateURL cmdlet.

Like the Get-SPAlternateURL, you can use this command on either web applications or external resources, but not both at the same time. Whether you’re creating your new alternate access mapping for a web application or for an external resource, you have to supply the value for the mandatory URL parameter.

You can also specify the zone for the new AAM with the Zone parameter.

​ New-SPAlternateURL –WebApplication “http://portal.intranet.local” –URL “https://portal.domain”  –Zone “Internet”

If you want to create an internal URL, then you can specify that with the “Internal” switch parameter. If this switch isn’t used, a public URL is created.

​ New-SPAlternateURL –WebApplication “http://portal.intranet.local” –URL “http://portal.domain” –Zone Internet –Internal

Change an Alternate Access Mapping with PowerShell

One of the main things you might want to change on an AAM is which zone it’s registered in. You can only change the zone of an internal URL. If you want to change a public zone URL, you would just change the URL or remove the mapping.

Changing a zone on an internal URL makes sense because the internal URLs are the mappings that make the translations happen between what a user types into their browser, and what the URL looks like when it resolves. So changing that translation is something that makes sense. Just changing the zone of a public URL doesn’t really change anything for us, since the zones are only labels and don’t have any real impact (you can have Internet traffic coming into the Intranet zone and vice-versa).

Change the Zone of an Internal URL

​ Get-SPAlternateURL “http://staff” | Set-SPAlternateURL –Zone “Custom”

Change the URL of a public URL

​ Get-SPAlternateURL “http://mysite.local” | Set-SPAlternateURL “https://mysite.local”

Remove an AlternateAccessMapping with PowerShell

If you realize that you’ve made a mistake with one of your alternate access mapping entries, you can remove it from SharePoint. You can’t remove the entries with Remove-SPAlternateURL.

​ Get-SPWebApplication “http://intranet.local” | Get-SPAlternateURL –Zone “Internet” | Remove-SPAlternateURL

If you’re scripting this, it can be helpful to make use of the -Confirm parameter to prompt before deletion to make sure that you’re aware of what you’re doing. Likewise, if you’re testing your code and want to make sure your script works but not actually remove the AAM at this time, you can use the -Whatif parameter to run through the process without actually deleting the AAM entry.

Wrapping-Up AAM

Administering SharePoint 2013 means, more and more, learning and embracing PowerShell.  Even when working with something like Alternate Access Mappings, which can be done from Central Administration, you can often get more accomplished quicker by bypassing Central Administration and just performing command line administration through PowerShell.

If this helped you, let us know in the comments below, or start a conversation with me on Twitter or Facebook.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (2)

2 responses to “Managing SharePoint 2013 with PowerShell: Working with Alternate Access Mappings”

  1. Hi

    A good article. I notice you have used Http for the internal and external access. I have recommended to my client we use https throughout . My client as ‘hinted’ they would prefer http for internal (shortened url) and https for external (FQDN) access. If I have to go down this path. would this something I could do using your AAM approach

  2. Hi Daniel,
    Glad you liked the article.
    Yes, you can use both the shortened URL for internal and the FQDN for external connections.
    In AAM, you’ll want to have two public URLs – Internal(Shortened URL) and FQDN. Which zones you apply them to doesn’t matter from a technical perspective as the zone names are just labels.
    In these examples I’ve shown here, I use Internal URLs to match up with the zones so that whether or not they type in http://shorturl or https://shorturl the results would be the same – SharePoint would move the links presented and the URLs displayed as the HTTPS.
    Thanks for reading and for the great question!
    – Flash

Leave a Reply

13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: