Technology

How to hide users from GAL if they are AD Connect synchronized

Posted on by Jiajie

Since the Exchange Online attribute msExchHideFromAddressLists is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.

  • Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect
    This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system
  • We direct modify the AD hide attribute in AD
    This option isn’t the best for cross-tenant migrations

I would recommend the first option.

Modifying the AD Connect Role:

Open Synchronization Rules Editor:

Create a new Rule (INBOUND)

Enter the following for the description:

Name: Hide user from GAL
Description: If msDS-CloudExtensionAttribute1 attribute is set to HideFromGAL, hide from Exchange Online GAL
Connected System: Your Active Directory Domain Name
Connected System Object Type: user
Metaverse Object Type: person
Link Type: Join
Precedence: 50 (this can be any number less than 100.  Just make sure you don’t duplicate numbers if you have other custom rules or you’ll receive a dead-lock error from SQL Server)

Click Next > on Scoping filter and Join rules, those can remain blank

Enter the following Transformation page, click the Add transformation button, fill out the form with the values below, and then click Add
FlowType: Expression
Target Attribute: msExchHideFromAddressLists
Source:

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]=”HideFromGAL”,True,False),NULL)

Now perform an initial sync

Start-ADSyncSyncCycle -PolicyType Initial

Hide the user from AD by setting the attribute

Select the Attributes Editor tab, find msDS-cloudExtensionAttribute1, and enter the value HideFromGAL
(Note: The valude must be exactly the same as defined in the AD Connect Rule, case sensitive), click OK and OK to close out of the editor.

Continue with a AD Connect DELTA Sync:

Start-ADSyncSycnCycle -PolicyType Delta

Continue with the Export from CUSTOMEDOMAIN.onmicrosoft.com and verify the Update. There must be a count of min. 1, the user where the Attribute was changed

Select the user account that is listed and click Properties.  On the Connector Space Object Properties, you should see Azure AD Connect triggered an add to Azure AD to set msExchHideFromAddressLists set to true

Leave a Reply

Your email address will not be published. Required fields are marked *