How to hide users from GAL if they are AD Connect synchronized

-

How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized

Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL.

Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day.

Since the Exchange Online attribute msExchHideFromAddressLists is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL. 

  • Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect
    This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system
  • We direct modify the AD hide attribute in AD 
    This option isn't the best for cross-tenant migrations

I would recommend the first option. 


Modifying the AD Connect Role:

Open Synchronization Rules Editor:


Create a new Rule (INBOUND)



Enter the following for the description:

Name: Hide user from GAL
Description: If msDS-CloudExtensionAttribute1 attribute is set to HideFromGAL, hide from Exchange Online GAL
Connected System: Your Active Directory Domain Name
Connected System Object Type: user
Metaverse Object Type: person
Link Type: Join
Precedence: 50 (this can be any number less than 100.  Just make sure you don't duplicate numbers if you have other custom rules or you'll receive a dead-lock error from SQL Server)


Click Next > on Scoping filter and Join rules, those can remain blank

Enter the following Transformation page, click the Add transformation button, fill out the form with the values below, and then click Add
FlowType: Expression
Target Attribute: msExchHideFromAddressLists
Source:

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="HideFromGAL",True,False),NULL)


Now perform an initial sync

Start-ADSyncSyncCycle -PolicyType Initial


Hide the user from AD by setting the attribute

Select the Attributes Editor tab, find msDS-cloudExtensionAttribute1, and enter the value HideFromGAL 
(Note: The valude must be exactly the same as defined in the AD Connect Rule, case sensitive), click OK and OK to close out of the editor. 


Continue with a AD Connect DELTA Sync:

Start-ADSyncSycnCycle -PolicyType Delta


Continue with the Export from CUSTOMEDOMAIN.onmicrosoft.com and verify the Update. There must be a count of min. 1, the user where the Attribute was changed


Select the user account that is listed and click Properties.  On the Connector Space Object Properties, you should see Azure AD Connect triggered an add to Azure AD to set msExchHideFromAddressLists set to true

 


Un-Hide the User from GAL via Script:

Un-hiding users is the reverse process, by removing (clear) the extAttrib msDS-cloudExtensionAttribute1.
This can be achieved by removing it for individual user or via a simple script in bulk.

### Script (TP) Hide/ Un-Hide User from GAL ###
###  Version 1.0 - Set FILTER in AD Connect  ###

### Update the msDS-cloudExtensionAttribute - HIDE FROM GAL###
### Set-ADUser -Identity "Maria.Clara" -Replace @{'msDS-cloudExtensionAttribute1'="HideFromGAL"}

### Clear the msDS-cloudExtensionAttribute - Unhide from GAL ###
### Set-ADUser -Identity "Maria.Clara" -Clear "msDS-cloudExtensionAttribute1"

### read user list as SAM / Identity ###
### first line in csv: Identity
### followed by SAM Account Name (CR)
$csv = Import-CSV C:\Temp\aduser.csv

$csv | % {

     Set-ADUser -Identity $_.Identity -Clear "msDS-cloudExtensionAttribute1"
}

Comments

Post a Comment

Popular posts from this blog

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, unique FQDN fo
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more