How to hide users from GAL if they are AD Connect synchronized

How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized

Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL.

Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day.

Since the Exchange Online attribute msExchHideFromAddressLists is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL. 

  • Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect
    This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system
  • We direct modify the AD hide attribute in AD 
    This option isn't the best for cross-tenant migrations

I would recommend the first option. 

Modifying the AD Connect Role:

Open Synchronization Rules Editor:

Create a new Rule (INBOUND)

Enter the following for the description:

Name: Hide user from GAL
If msDS-CloudExtensionAttribute1 attribute is set to HideFromGAL, hide from Exchange Online GAL
Connected System: 
Your Active Directory Domain Name
Connected System Object Type: 
Metaverse Object Type: 
Link Type: 
50 (this can be any number less than 100.  Just make sure you don't duplicate numbers if you have other custom rules or you'll receive a dead-lock error from SQL Server)

Click Next > on Scoping filter and Join rules, those can remain blank

Enter the following Transformation page, click the Add transformation button, fill out the form with the values below, and then click Add
Target Attribute: 


Now perform an initial sync

Start-ADSyncSyncCycle -PolicyType Initial

Hide the user from AD by setting the attribute

Select the Attributes Editor tab, find msDS-cloudExtensionAttribute1, and enter the value HideFromGAL 
(Note: The valude must be exactly the same as defined in the AD Connect Rule, case sensitive), click OK and OK to close out of the editor. 

Continue with a AD Connect DELTA Sync:

Start-ADSyncSycnCycle -PolicyType Delta

Continue with the Export from and verify the Update. There must be a count of min. 1, the user where the Attribute was changed

Select the user account that is listed and click Properties.  On the Connector Space Object Properties, you should see Azure AD Connect triggered an add to Azure AD to set msExchHideFromAddressLists set to true


Un-Hide the User from GAL via Script:

Un-hiding users is the reverse process, by removing (clear) the extAttrib msDS-cloudExtensionAttribute1.
This can be achieved by removing it for individual user or via a simple script in bulk.

### Script (TP) Hide/ Un-Hide User from GAL ###
###  Version 1.0 - Set FILTER in AD Connect  ###

### Update the msDS-cloudExtensionAttribute - HIDE FROM GAL###
### Set-ADUser -Identity "Maria.Clara" -Replace @{'msDS-cloudExtensionAttribute1'="HideFromGAL"}

### Clear the msDS-cloudExtensionAttribute - Unhide from GAL ###
### Set-ADUser -Identity "Maria.Clara" -Clear "msDS-cloudExtensionAttribute1"

### read user list as SAM / Identity ###
### first line in csv: Identity
### followed by SAM Account Name (CR)
$csv = Import-CSV C:\Temp\aduser.csv

$csv | % {

     Set-ADUser -Identity $_.Identity -Clear "msDS-cloudExtensionAttribute1"


Popular posts from this blog

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

MFA with Guest Access and different tenants settings