To hide a user from the Global Address List(GAL) is easy when your Office 365 tenant is not being synced to your on-premise Active Directory, but if you are syncing to Office 365 with any of the following tools:
- Windows Azure Active Directory Sync (DirSync)
- Azure AD Sync (AADSync)
- Azure Active Directory Connect
Then you will be unable to hide a user from using the Office 365 Web Interface or PowerShell. From both interfaces you will get the following error:
The operation on mailbox “Paulie” failed because it’s out of the current user’s write scope. The action
‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘Paulie’ because the object
is being synchronized from your on-premises organization. This action should be performed on the object in your
on-premises organization.
From the web interface it will look like this:
How to hide a user from the Global Address List
The active directory property “msExchHideFromAddressLists” property must be set to “true”, here are two ways of changing it:
Using ADSI Edit to hide a user from the Global Address List
You can use ADSI Edit and navigate to your user and modify the property “msExchHideFromAddressLists” and simply change it to true. It is quite easy to do, but long winded and awkward.
Using PowerShell to hide a user from the Global Address List
You can achieve the same result in a single line of PowerShell using the Set-User cmdlet. This is a much faster and less error prone method of doing the same operation.
Here is an example:
Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$true}
and to un-hide the user:
Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$false}
It’s much easier to do in Powershell than ADSI Edit, but either way will work and the next time your AD synchronises with Office 365, the user should be hidden.
msExchHideFromAddressLists property missing from Active Directory?
If you discover that the msExchHideFromAddressLists property does not exist in your local active directory if you have never had a Microsoft Exchange Installed locally:
It is possible to extend the active directory schema to contain the required Exchange attributes without purchasing or installing Microsoft Exchange server. The easiest way to achieve this is to download the evaluation of Exchange Server 2013 and then:
- Extract the contents of the download to a folder of your choice.
- Run “setup.exe /prepareschema /iacceptexchangeserverlicenseterms” as per this screenshot:
- You should now have the msExchHideFromAddressLists active directory property available:
List all users hidden from the GAL
To list all users hidden from the GAL, use this:
Get-ADUser -Filter {msExchHideFromAddressLists -eq "TRUE"} |Select-Object UserPrincipalName
Questions? please ask in the comments section. If you found this post helpful, I’d really appreciate it if you would rate it for me 😀
BladeRunner says
January 18, 2018 at 11:54 pmFor me the issue was msExchHideFromAddressLists attribute was not syncing to Azure AD.
Followed the below to add the rule.
https://social.msdn.microsoft.com/Forums/azure/en-US/8ef659e8-da58-4c5e-acad-2799f4b864c2/msexchhidefromaddresslists-attribute-isnt-syncing-across-to-azure?forum=WindowsAzureAD
Ray says
June 5, 2018 at 4:09 amI can’t hide an O365 user from address list one by one. How to hide them by one time?
achaddad says
August 3, 2018 at 8:00 pmMaybe this will help you out:
https://social.technet.microsoft.com/Forums/WINDOWS/en-US/89b424a2-85fa-4b6b-b3b2-71eae2455556/msexchhidefromaddresslists-azure-ad-synchronisation?forum=onlineservicesexchange&prof=required
Nathan says
August 6, 2018 at 9:47 pmI ran the setup /prepareschema /iacceptexchangeserverlicenseterms, however I do not see the attributes in attribute editor.
Yes, I have filtering turned off for only showing attributes with values.
I can go into the Schema container of ADSIEdit and see the attribute of CN=ms-Exch-Hide-From-Address-lists so I know I successfully extended the schema. What do I need to do to be able to see these attributes in the users Attribute editor?
Yes, all of this was done on the domain controller that is the schema master. Yes I did all this on an account with schema admin, enterprise admin and domain admin rights.
Greg says
August 8, 2018 at 11:05 pmNathan,
My wild guess is that maybe the Filter ‘button’ in the Attribute Editor tab of ADUC is set to “Show only attributes that have values”?
Especially if you never had an on premise Exchange; as you’d not see *any* of ‘ms-exch’ values for a given user.