Hiding Users from Exchange Online Address Book

This is assuming DirSync is syncing users from on-premises AD to 365/Azure AD.

First thing to try for all users:

Set-ADUser <Active Directory username> -Add @{msExchHideFromAddressLists=”TRUE”}

There are a variety of issues that might prevent this from working. You’ll have to customize these steps to suit your environment.

Stage 1 is to try to set the “hide from address book” flag in Exchange, if these are old users who weren’t DirSync’ed.

First, I get a list of all users in a specific OU (where all disabled users are placed) and filter on UserPrincipalName – for me, all actual user UPNs (as opposed to service/temporary accounts) end with the company’s email domain, not <the AD domain.local>, so I filter out the .local users.

$DisabledUsers = Get-ADUser -filter * -SearchBase “OU=Archived,OU=Users,OU=Company,DC=Company,DC=local” | Select-Object name,samaccountname,userprincipalname | where -NotLike userprincipalname “*local”

Now, I get the mailboxes for those users, but select only those that don’t have the “hide from address book” flag set in 365.

$nothidden = foreach ($i in $DisabledUsers.Name) {Get-Mailbox $i -ErrorAction ignore | select Name, PrimarySmtpAddress, HiddenFromAddressListsEnabled | where -NotMatch HiddenFromAddressListsEnabled -Value True }

Then, set the flag. In my case, this worked for some users (who weren’t dirsync’ed), and for the others, I couldn’t set this flag here.

foreach ($i in $nothidden.Name) {
Set-Mailbox -Identity $i -HiddenFromAddressListsEnabled $True -Confirm
}

For some users, the AD “msExchHideFromAddressLists” attribute was set, but it didn’t sync to 365. 365 ECP wouldn’t allow me to check the box.
This is because the disabled users are moved into a separate OU which DirSync ignored, so the attribute was never synced and the user was stuck in a limbo state.
I had to put those users back into the normal OU so DirSync would push the changes.

Move the users:
foreach ($i in $nothidden.Name) {Get-ADUser -Filter “(Name -eq ‘$i’)” | Move-ADObject -TargetPath ‘OU=Users,OU=MyCompany,DC=Company,DC=local’ -Verbose }

# List the properties
foreach ($i in $nothidden.Name) {Get-ADUser -Filter “(Name -eq ‘$i’)” -Properties *| select name, msExchHideFromAddressLists }

# Enable the flag:
foreach ($i in $nothidden.Name) {Get-ADUser -Filter “(Name -eq ‘$i’)” -Properties *| Set-ADObject -replace @{msExchHideFromAddressLists=$true}}

### Stage 2: After all of this, some users STILL aren’t syncing properly. This is because of issues with litigation hold being enabled and mismatched archive GUIDs.
https://blogs.technet.microsoft.com/exovoice/2016/11/07/how-to-fix-office365-user-provisioning-issues-that-are-generated-by-faulty-exchange-attributes/

# Get the users that still have the flag NOT set to true.
$stillnothidden = $nothidden | select * | where -NotMatch HiddenFromAddressListsEnabled -Value True
$usererrors = foreach ($i in $stillnothidden.PrimarySmtpAddress) { (Get-MsolUser -UserPrincipalName $i ).errors.errordetail.objecterrors.errorrecord| fl}

# get the archive guids from Exchange
$archiveguids = foreach ($i in $stillnothidden.PrimarySmtpAddress) { Get-Mailbox $i | select Name, PrimarySmtpAddress,ArchiveGuid }

# get the current archive guids before changing anything:
foreach ($i in $archiveguids.Name) { Get-ADUser -Filter “(Name -eq ‘$i’)” -Properties * | select name, msExchArchiveguid}

Find the user on the Office 365 admin portal. You will get an error like this (I’m sure this can be done from PowerShell as well). P.S. Make sure the user principal name is set properly! P.P.S. make sure the MailNickName is also set!

###### I’m not 100% sure what’s below this line works. If not, skip down to the bottom section.

Get the CloudArchiveGuid and create a new PowerShell variable using that as the value.

[System.Guid]$guid = ‘8ca06e84-b159-42a7-a380-acb5fcfe676e’

Then, set the archive attribute in the user’s AD account.

Set-ADUser <username> -Replace @{msExchArchiveGuid=$guid.ToByteArray()}

###### (End of section I’m not sure about)

I couldn’t figure out how to set this with PowerShell, but to get the value to enter manually, type these commands into PowerShell:

[system.guid]$guid = “bb7518b8-537e-4321-b658-8728059894f9”

($Guid.ToByteArray() | foreach { $_.ToString('x2') }) -Join ' '

Open Active Directory Users and Computers, open the user’s properties, then go to the Attribute Editor. (Go to View > Advanced Features if you don’t see the editor)

Find the msExchArchiveGUID, double click it, and copy/paste the output from PowerShell into that attribute. Value format should be Hexadecimal.

Advertisements

Blog at WordPress.com.

Up ↑