How to hide contact in hybrid/synchronized environment in Office 365.
When you have Hybrid environment or synchronized environment where AAD connect sync your all users, attributes from on-prem to Office 365. How you can hide the contact from GAL (Global Address List).
It’s a big challenge as msExchHideFromAddressLists attribute by default is set not to sync with Office 365 in Azure AD connect Rule.
Without touching AAD connect rule, how this can be achieved in a very simple way is as below, but yes you require to perform this step with each user each time when you want to hide.:
Per User Solution:
1.Open Active Directory Users & Computers.
2. Enable Advanced Features by clicking View > Advanced Features.
3.Find and open the properties for the user you want to hide. Click the Attribute Editor tab.
4.Find and double-click the msExchHideFromAddressLists attribute to change its value.
5. Set the value to True and save your changes.
Same you can do it via PowerShell or CMD prompt as well. Please run the below command on AD:
Set-ADUser user@domain.com -Add @{msExchHideFromAddressLists=”TRUE”}
6.Now you need to set the mailNickname field. It should be set to the first part of the primary email address. For example, my email is user.affected@domain.com so the mailNickname should be set to Affected user.
The change will be visible in the Office 365 portal after the next AD Connect job runs out.
Or you can run the Delta sync on AAD connect server:
Start-ADSyncSyncCycle -PolicyType Delta
The address books are downloaded to the Outlook client once every 24 hours so the user will still be visible in the address book for 1 day. You can wait or you can delete the Offline Address book and download the fresh GAL in Outlook.
Permanent resolution to the concern:
Step 1: Scope in the msDS-cloudExtensionAttribute for Azure AD Connect
Open the Azure AD Connect Synchronization Service or you can search MIIS.exe in windows search
Goto the Connectors tab, select WAD (Windows Active Directory) connector and click on Properties
On the top right, click on Show All, now scroll down and find msDS-CloudExtensionAttribute1 (you can use any of the numbers 1-20, just make sure to check the box you are using), and select OK
Step 2: Create a custom sync rule
Open the Azure AD Connect Synchronization Rules Editor
Click on the Add new rule button (make sure direction in the top left shows Inbound)
Enter the following for the description:
Name: Hide user from GAL
Description: If msDS-CloudExtensionAttribute1 attribute is set to HideFromGAL, hide from Exchange Online GAL
Connected System: Active Directory Domain Name
Connected System Object Type: user
Metaverse Object Type: person
Link Type: Join
Precedence: 50 (this can be any number less than 100. Just make sure you don’t duplicate numbers if you have other custom rules)
Click Next > on Scoping filter and Join rules, those can remain blank
Enter the following Transformation page, click the Add transformation button, fill out the form with the values below, and then click Add
Flow Type: Expression
Target Attribute: msExchHideFromAddressLists
Source:
IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]=”HideFromGAL”,True,False),NULL)
Step 3: Perform an initial sync
Open Windows PowerShell on the Azure AD Connect Server as an Admin
Execute the following command: Start-ADSyncSyncCycle -PolicyType Initial
Step 4: Hide a user from Active Directory
Open Active Directory Users and Computers, find the user you want to hide from the GAL, right click select Properties
Select the Attributes Editor tab, find msDS-cloudExtensionAttribute1, and enter the value HideFromGAL (note, this is case sensitive), click OK and OK to close out of the editor.
Note: if you don’t see the Attribute Editor tab in the previous step, within Active Directory Users and Computers, click on View in the top menu and select Advanced Features
Step 5: Validation
Open the Azure AD Connect Synchronization Service
On the Operations tab, if you haven’t seen a Delta Synchronization, manually trigger the Delta sync to pick up the change you made in Active Directory
Select the Export for the domain.onmicrosoft.com connector and you should see 1 Updates
Select the user account that is listed and click Properties. On the Connector Space Object Properties, you should see Azure AD Connect triggered an add to Azure AD to set msExchHideFromAddressLists set to true
This is a permanent resolution to hide users from GAL with minimal risk. If Azure AD Connect upgrades, our sync rule will persist fine during regular updates released.