When you use Entra connect to sync AD users with Entra ID/M365, user account management is primarily handled through on-prem active directory. If you log in to Exchange online and attempt to hide a user from address lists by checking the Hide from address lists option and then click Save, you’ll get below error message:
The operation on mailbox “<username>” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘<username>’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
Since the error suggests performing this action in on-premise active directory, we’ll need to use it to hide the user from the Global Address List (GAL). To do this, we will update an attribute msExchHideFromAddressLists for the user object, and set its value to True. You can either use ADSIEdit or PowerShell to set this value.
Contents
1. Update msExchHideFromAddressLists using ADSIEdit
You can hide a user from GAL by setting msExchHideFromAddressLists attribute for a user account using ADSIEdit.
- Open Active Directory Users and Computers on a domain controller.
- Click on View > Enable Advanced Features.
- Search for the user which you want to hide it from the GAL > Right-click the user > Select Properties > Attribute Editor > Search for msExchHideFromAddressLists attribute > Change it to True and Click OK twice to Save the Value.
- Open PowerShell console and run below command to initiate delta sync with Entra ID.
Start-ADSyncSyncCycle -PolicyType Delta 2. Update msExchHideFromAddressLists using Powershell
You can hide a user from GAL by setting msExchHideFromAddressLists attribute for a user account using PowerShell. Let’s check the steps:
2.1 For One user account
To set msExchHideFromAddressLists user attribute to True for One user account, use below command:
Set-ADUser -identity <user> -Replace @{msExchHideFromAddressLists=$true}-identity Parameter: You can identify a user by its distinguished name, GUID, security identifier (SID), or Security Account Manager (SAM) account name.
2.2 For All User Accounts in a Particular OU
To set msExchHideFromAddressLists user attribute to True for All user accounts which are in a particular OU, Use below command:
get-aduser -searchbase "<OU Distinguished Name>" -filter *| Set-ADUser -Add @{msExchHideFromAddressLists="TRUE"}OU Distinguished Name: You can get the OU distinguished name for any OU by right-clicking the OU > Properties > Attribute Editor > Search for distinguishedName Attribute and copy that value. This is the OU distinguished name.
I was reading one of your other comments and noticed this write-up as another to read. I always look at these as they are typically missing/assume a fundamental requirement for this to work.
Your AD Schema has to be extended to include MS Exchange Attributes. If you have never had an on premise MS Exchange server in your Domain, your AD Schema will be missing this and several other attributes that might be needed.
Here is a good and helpful SpiceWorks thread (not my favorite, but this one covers it well) from a while back. Nothing has changed and the command and work is the same.
I forgot the link to the SpiceWorks thread!
https://community.spiceworks.com/t/extending-ad-schema-not-working/636798