Microsoft 365: Hide users from GAL when using Entra Connect

When you use Entra Connect to sync users with Entra ID or M365, user account management is primarily handled through On-Premise Active Directory. If you log in to Exchange Online and attempt to hide a user from address lists by checking the ‘Hide from address lists‘ option and then click ‘Save‘ you’ll encounter the error message below:

The operation on mailbox “<username>” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘<username>’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.


Since the error suggests performing this action in On-Premise Active Directory, we’ll need to use the On-Premise Active Directory to hide the user from the Global Address List (GAL). To do this, we will update a user attribute, ‘msExchHideFromAddressLists,’ and set its value to ‘True‘. Let’s check the options.

Option 1 – Using ADSIEdit

Let’s check how to hide a user from GAL by configuring a user account property msExchHideFromAddressLists in ADSIEdit.

  1. Logon to On Premise Domain Controller > Open Active Directory Users and Computers.
  2. Click on View > Enable Advanced Features.
  3. Search for the user which you want to hide it from the GAL / Address Book -> Right-click the user -> Select Properties -> Attribute Editor -> Search for msExchHideFromAddressLists attribute -> Change it to True and Click OK twice to Save the Value.
  4. Open powershell console and run Start-ADSyncSyncCycle -PolicyType Delta to Initiate Delta Sync to Entra ID.

Option 2 – Using Powershell

2.1 For One user account

To set msExchHideFromAddressLists user attribute to True for One user account, use below command:

Set-ADUser -identity <user> -Replace @{msExchHideFromAddressLists=$true}

-identity Parameter: You can identify a user by its distinguished name, GUID, security identifier (SID), or Security Account Manager (SAM) account name.

2.2 For All User Accounts in a Particular OU

To set msExchHideFromAddressLists user attribute to True for All user accounts which are in a particular OU, Use below command:

get-aduser -searchbase "<OU Distinguished Name>" -filter *|  Set-ADUser -Add @{msExchHideFromAddressLists="TRUE"}

OU Distinguished Name: You can get the OU distinguished name for any OU by right-clicking the OU -> Properties -> Attribute Editor -> Search for distinguishedName Attribute and Copy that value and use the value in the powershell command.


When using Entra Connect to synchronize users from On-Prem Active Directory to Entra ID, it’s important to note that user management and attribute control are primarily handled by On-Prem Active Directory. To hide a user from the Global Address List (GAL), you’ll need to update their attributes there.

If you wish to manage users attributes from Entra ID, you can convert users from Entra Synced users to Cloud only users.

2 thoughts on “Microsoft 365: Hide users from GAL when using Entra Connect”

  1. I was reading one of your other comments and noticed this write-up as another to read. I always look at these as they are typically missing/assume a fundamental requirement for this to work.

    Your AD Schema has to be extended to include MS Exchange Attributes. If you have never had an on premise MS Exchange server in your Domain, your AD Schema will be missing this and several other attributes that might be needed.

    Here is a good and helpful SpiceWorks thread (not my favorite, but this one covers it well) from a while back. Nothing has changed and the command and work is the same.


Leave a Comment

Discover more from TechPress

Subscribe now to keep reading and get access to the full archive.

Continue reading