• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Tachytelic.net

  • Get in Touch
  • About Me

Office 365: Hide a user from the GAL when using Azure AD Connect

November 15, 2017 by Paulie 14 Comments

To hide a user from the Global Address List(GAL) is easy when your Office 365 tenant is not being synced to your on-premise Active Directory, but if you are syncing to Office 365 with any of the following tools:

  • Windows Azure Active Directory Sync (DirSync)
  • Azure AD Sync (AADSync)
  • Azure Active Directory Connect

Then you will be unable to hide a user from using the Office 365 Web Interface or PowerShell. From both interfaces you will get the following error:

The operation on mailbox “Paulie” failed because it’s out of the current user’s write scope. The action
‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘Paulie’ because the object
is being synchronized from your on-premises organization. This action should be performed on the object in your
on-premises organization.

From the web interface it will look like this:

Unable to hide mailbox from Office 365 when synced to on-premise active directory

How to hide a user from the Global Address List

The active directory property “msExchHideFromAddressLists” property must be set to “true”, here are two ways of changing it:

Using ADSI Edit to hide a user from the Global Address List

You can use ADSI Edit and navigate to your user and modify the property “msExchHideFromAddressLists” and simply change it to true. It is quite easy to do, but long winded and awkward.

Using adsiedit to set MsExchHideFromAddressLists to true to hide a user from the Office 365 GAL

Using PowerShell to hide a user from the Global Address List

You can achieve the same result in a single line of PowerShell using the Set-User cmdlet. This is a much faster and less error prone method of doing the same operation.

Here is an example:

Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$true}

and to un-hide the user:

Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$false}

It’s much easier to do in Powershell than ADSI Edit, but either way will work and the next time your AD synchronises with Office 365, the user should be hidden.

msExchHideFromAddressLists property missing from Active Directory?

If you discover that the msExchHideFromAddressLists property does not exist in your local active directory if you have never had a Microsoft Exchange Installed locally:

Image of ADSI Edit showing that the msExchHideFromAddressLists Active Directory property is missing
msExchHideFromAddressLists property missing from Active Directory

It is possible to extend the active directory schema to contain the required Exchange attributes without purchasing or installing Microsoft Exchange server. The easiest way to achieve this is to download the evaluation of Exchange Server 2013 and then:

  • Extract the contents of the download to a folder of your choice.
  • Run “setup.exe /prepareschema /iacceptexchangeserverlicenseterms” as per this screenshot:
    Screenshot of Extending the AD Schema to include Exchange Attributes
  • You should now have the msExchHideFromAddressLists active directory property available:
    msExchHideFromAddressLists property added to active directory by extending schema using Exchange 2013 evaluation

List all users hidden from the GAL

To list all users hidden from the GAL, use this:

Get-ADUser -Filter {msExchHideFromAddressLists -eq "TRUE"} |Select-Object UserPrincipalName

Questions? please ask in the comments section. If you found this post helpful, I’d really appreciate it if you would rate it for me 😀

Filed Under: How To, Office 365 Tagged With: Exchange, Office 365, Powershell

Reader Interactions

Comments

  1. BladeRunner says

    January 18, 2018 at 11:54 pm

    For me the issue was msExchHideFromAddressLists attribute was not syncing to Azure AD.
    Followed the below to add the rule.

    https://social.msdn.microsoft.com/Forums/azure/en-US/8ef659e8-da58-4c5e-acad-2799f4b864c2/msexchhidefromaddresslists-attribute-isnt-syncing-across-to-azure?forum=WindowsAzureAD

  2. Ray says

    June 5, 2018 at 4:09 am

    I can’t hide an O365 user from address list one by one. How to hide them by one time?

  3. achaddad says

    August 3, 2018 at 8:00 pm

    Maybe this will help you out:

    https://social.technet.microsoft.com/Forums/WINDOWS/en-US/89b424a2-85fa-4b6b-b3b2-71eae2455556/msexchhidefromaddresslists-azure-ad-synchronisation?forum=onlineservicesexchange&prof=required

  4. Nathan says

    August 6, 2018 at 9:47 pm

    I ran the setup /prepareschema /iacceptexchangeserverlicenseterms, however I do not see the attributes in attribute editor.

    Yes, I have filtering turned off for only showing attributes with values.

    I can go into the Schema container of ADSIEdit and see the attribute of CN=ms-Exch-Hide-From-Address-lists so I know I successfully extended the schema. What do I need to do to be able to see these attributes in the users Attribute editor?

    Yes, all of this was done on the domain controller that is the schema master. Yes I did all this on an account with schema admin, enterprise admin and domain admin rights.

  5. Greg says

    August 8, 2018 at 11:05 pm

    Nathan,

    My wild guess is that maybe the Filter ‘button’ in the Attribute Editor tab of ADUC is set to “Show only attributes that have values”?

    Especially if you never had an on premise Exchange; as you’d not see *any* of ‘ms-exch’ values for a given user.

  6. Habibur Rahaman says

    July 4, 2019 at 7:34 pm

    This is very informative.. thanks sharing this. I have two questions here:

    1. What is the equivalent attribute for this attribute msExchHideFromAddressLists in Azure AD? The purpose of this if we want to verify this attribute in Azure AD after sync

  7. Dhanaswer says

    August 4, 2019 at 4:30 pm

    We’ve windows 2008 AD in on-prem, and trying to sync with the help of AAD however the atribute is not showing in AAD. Could you please advise how can we proceed further?

  8. Paulie says

    August 4, 2019 at 11:14 pm

    Did you ever have Exchange on-premise? As discussed in the post you need to extend your AD schema to enable the correct attributes.

  9. Richard says

    January 8, 2020 at 12:37 am

    Very helpful, thanks.

    I’ve tried doing this at the OU level, but am getting stuck. Any help with what command would achieve that for an OU directly under the root, called “To be deleted”? Is the problem caused by having spaces in the OU’s name?

    Thanks, R.

  10. Sowmya says

    June 20, 2020 at 3:04 am

    How to unhide email address from GAL? Currently the msexchangaddress field is set to TRUE. Do I need to make it as ‘FALSE’ or ‘Not Set’

  11. Shabby says

    July 1, 2020 at 10:18 am

    Thank you so much!!

Trackbacks

  1. Office 365: How to change primary email address when using Dirsync,AADSync or Azure Active Directory Connect | gioshio says:
    November 20, 2018 at 10:02 am

    […] have never had Exchange installed locally, as the users will not have these attributes. You can follow the instructions on this pagein order to get the attributes enabled for your […]

  2. Office 365:Change Primary Email address of Active Directory User says:
    December 17, 2018 at 11:14 am

    […] you have never had Exchange installed locally, as the users will not have these attributes. You can follow the instructions on this page in order to get the attributes enabled for your […]

  3. Hide users from the global address list – ScribbleGhost says:
    March 11, 2019 at 7:32 pm

    […] https://tachytelic.net/2017/11/office-365-hide-a-user-from-gal-ad-sync/ […]

Leave a Reply Cancel reply

Primary Sidebar

Link to my LinkedIn Profile
Buy me a coffee

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 245 other subscribers.

Go to mobile version