Hide Azure AD synced users from Global Address Book (GAL) in Office 365

When you are using Azure AD Connect to sync the users to Azure Active Directory / Office365, the management of the User’s account is done by using On-Premise Active Directory. Therefore, if you logon to Exchange Online and double-click on the mailbox and then select / check “Hide from address lists” checkbox and click on Save. You will get below error message:

The operation on mailbox “<username>” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘<username>’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

HiddenFromAddressListsEnabled

As the error suggests to perform this action in On-Premise Active Directory. We will need to use On-Prem Active Directory to hide the user from GAL. For hiding the user from Address Book / GAL, we will update a user attribute msExchHideFromAddressLists and setting its value to True

Steps to Hide a user from Global Address Book in Office 365

There are different ways to set the value of msExchHideFromAddressLists attribute for users. You can use GUI to set this attribute or you can also use powershell command. We will now see both the methods:

Using GUI Interface to set msExchHideFromAddressLists

  1. Logon to On Premise Domain Controller -> Open Active Directory Users and Computers
  2. Click on View -> Enable Advanced Features.
  3. Search for the user which you want to hide it from the GAL / Address Book -> Right-click the user -> Select Properties -> Attribute Editor -> Search for msExchHideFromAddressLists attribute -> Change it to True and Click OK twice to Save the Value.
  4. Open powershell console and run Start-ADSyncSyncCycle -PolicyType Delta to Initiate Delta Sync to Azure AD.
msExchHideFromAddressLists

Using Powershell set msExchHideFromAddressLists

Set-ADUser -identity <user> -Replace @{msExchHideFromAddressLists=$true}

-identity Parameter: You can identify a user by its distinguished name, GUID, security identifier (SID), or Security Account Manager (SAM) account name.

Using Powershell set msExchHideFromAddressLists for all users in an OU

In my case i had all the shared mailboxes moved to one particular OU in Active Directory. Therefore, the requirement was to Hide all the shared mailboxes from GAL. You can use below powershell Command which will set the attribute msExchHideFromAddressLists to True for all users in one particular OU.

get-aduser -searchbase "<OU Distinguished Name>" -filter *|  Set-ADUser -Add @{msExchHideFromAddressLists="TRUE"}

OU Distinguished Name: You can get the OU distinguished name for any OU by right-clicking the OU -> Properties -> Attribute Editor -> Search for distinguishedName Attribute and Copy that value and use the value in the powershell command.

Conclusion

When we are using Azure AD Connect to sync users from On Prem active directory to Azure Active directory. Users are managed by On Prem active directory. All user’s attributes are controlled from On prem active directory.

Therefore to hide a user from GAL, we need to update attributes there. If you want to manage users by using Azure active directory, you will need to convert users from AD Sync users to Cloud Only user’s. Once you convert a user or all the users to cloud only, you can change / modify user’s attributes from Azure active directory.