Active DirectoryMicrosoft 365Microsoft Entra

How to hide users from the Office 365 GAL when the user is synced from on-prem AD

by antoniorennvick
Spread the love

If you need to hide a user from GAL (Global Address List) in Office 365, the method depends on how the account is managed. In simple terms, cloud-only users are easy to configure. However, things become more complex when the account is synced from on-premises Active Directory. In this guide, we will walk through both scenarios step by step.

Hide User from GAL for Cloud-Only Users

First of all, if the user exists only in Office 365 (cloud-only), the process is straightforward. You can either use the Exchange Admin Center or PowerShell.

Simply go to the Exchange Admin Center, select the user, and then enable or disable the option to hide the user from the GAL.

hide user from GAL exchange admin center

Alternatively, you can run the following PowerShell command:

Set-Mailbox -Identity user@domain.com -HiddenFromAddressListsEnabled $true

Hide User from GAL for Hybrid (Synced) Users

However, things change when the user is synced from on-premises Active Directory. In this case, the option is greyed out in Office 365 because the attribute is controlled on-prem.

hide user from GAL greyed out office 365

Normally, the attribute used is:

msExchHideFromAddressLists

msExchHideFromAddressLists attribute example

Unfortunately, if you do not have an on-prem Exchange server, this attribute will not be available. Therefore, you need an alternative approach.

Alternative Method to Hide User from GAL

Instead of using Exchange attributes, you can use an unused AD attribute and map it to the cloud attribute HiddenFromAddressListsEnabled. This method works reliably in hybrid environments.

For example, we will use msDS-cloudExtensionAttribute1.

Step 1: Enable Attribute in Azure AD Connect

First, open Azure AD Connect Synchronization Service Manager and navigate to the Connectors tab.

azure ad connect connectors tab

Next, select your domain and click Properties, then choose Select Attributes.

select attributes azure ad connect

Then click Show All and enable msDS-cloudExtensionAttribute1.

enable cloud extension attribute

Step 2: Create a Synchronization Rule

Now open the Synchronization Rule Editor as Administrator and click Add New Rule.

sync rule editor
create sync rule configuration

After that, skip unnecessary steps and go to Transformations.

transformation rule setup 
Use the following expression:

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="HideFromGAL",True,False),NULL)

Then run a full sync:
Start-ADSyncSyncCycle -PolicyType initial

Step 3: Hide the User from GAL

Now, go to Active Directory Users and Computers. Open the user’s Attribute Editor and locate:

active directory attribute editor

msDS-cloudExtensionAttribute1

Set the value to:

HideFromGAL

set hide from GAL attribute

Finally, run a delta sync:

Start-ADSyncSyncCycle -PolicyType delta

delta sync result

After synchronization, the change will reflect in Office 365.

user hidden from GAL office 365 result

Conclusion

In summary, hiding a user from GAL is simple for cloud-only users. However, for hybrid environments, you must use Azure AD Connect and attribute mapping. Fortunately, once configured, the process becomes easy and repeatable.

👉 Check out more Windows and Office 365 optimization guides.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

×