It’s easy to hide a user from the Global Address List(GAL) when your Office 365 tenant is not being synced to your on-premise Active Directory, but if you are syncing to Office 365 which with any of the following tools:
- Windows Azure Active Directory Sync (DirSync)
- Azure AD Sync (AADSync)
- Azure Active Directory Connect
Then you will be unable to hide a user from using the Office 365 Web Interface or PowerShell. From both interfaces you will get the following error:
The operation on mailbox “Paulie” failed because it’s out of the current user’s write scope. The action
‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘Paulie’ because the object
is being synchronized from your on-premises organization. This action should be performed on the object in your
on-premises organization.
From the web interface it will look like this:
How to hide a user from the Global Address List
So, now that we know that is has to be done on-premise, what needs to be changed and what is the quickest and easiest way to change it?
The active directory property “msExchHideFromAddressLists” property needs to be set to “true” and here are two ways of changing it.
Using ADSI Edit to hide a user from the Global Address List
You can use ADSI Edit and navigate to your user and modify the property “msExchHideFromAddressLists” and simply change it to true. It is quite easy to do, but long winded and awkward.
Using PowerShell to hide a user from the Global Address List
The same operation as above can be achieved in a single line of Powershell using the Set-User cmdlet. This is a much faster and less error prone method of doing the same operation.
Here is an example:
Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$true}
and to un-hide the user:
Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$false}
It’s really much easier to do in Powershell than ADSI Edit, but either way will work and the next time your AD synchronises with Office 365, the user should be hidden.
msExchHideFromAddressLists property missing from Active Directory?
If you discover that the msExchHideFromAddressLists property does not exist in your local active directory if you have never had a Microsoft Exchange Installed locally:
It is possible to extend the active directory schema to contain the required Exchange attributes without purchasing or installing Microsoft Exchange server. The easiest way to achieve this is to download the evaluation of Exchange Server 2013 and then:
- Extract the contents of the download to a folder of your choice.
- Run “setup.exe /prepareschema /iacceptexchangeserverlicenseterms” as per this screenshot:
- You should now have the msExchHideFromAddressLists active directory property available:
To list all users that are hidden from the GAL
Bonus bit of PowerShell – if you want to list all users that are hidden from the GAL, try this:
Get-ADUser -Filter {msExchHideFromAddressLists -eq "TRUE"} |Select-Object UserPrincipalName
For me the issue was msExchHideFromAddressLists attribute was not syncing to Azure AD.
Followed the below to add the rule.
https://social.msdn.microsoft.com/Forums/azure/en-US/8ef659e8-da58-4c5e-acad-2799f4b864c2/msexchhidefromaddresslists-attribute-isnt-syncing-across-to-azure?forum=WindowsAzureAD
I can’t hide an O365 user from address list one by one. How to hide them by one time?
Maybe this will help you out:
https://social.technet.microsoft.com/Forums/WINDOWS/en-US/89b424a2-85fa-4b6b-b3b2-71eae2455556/msexchhidefromaddresslists-azure-ad-synchronisation?forum=onlineservicesexchange&prof=required
I ran the setup /prepareschema /iacceptexchangeserverlicenseterms, however I do not see the attributes in attribute editor.
Yes, I have filtering turned off for only showing attributes with values.
I can go into the Schema container of ADSIEdit and see the attribute of CN=ms-Exch-Hide-From-Address-lists so I know I successfully extended the schema. What do I need to do to be able to see these attributes in the users Attribute editor?
Yes, all of this was done on the domain controller that is the schema master. Yes I did all this on an account with schema admin, enterprise admin and domain admin rights.
Nathan,
My wild guess is that maybe the Filter ‘button’ in the Attribute Editor tab of ADUC is set to “Show only attributes that have values”?
Especially if you never had an on premise Exchange; as you’d not see *any* of ‘ms-exch’ values for a given user.