How to hide users from the GAL in Office 365 synchronized from on-premises

Hiding users from the Global Address List (GAL) is a fairly straight forward when the user is a cloud account. Simply “Hide from address list” from the Exchange Online console or run some quick powershell:

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session 
Set-Mailbox -Identity [email protected] -HiddenFromAddressListsEnabled $true

Hiding users from the GAL is fairly straight forward when the user is synchronized from on-premises as well.  Simply edit the attribute of the user object, set msExchHideFromAddressLists  to True, and do a sync.  The problem though is what happens if you don’t have the msExchHideFromAddressLists attribute in Active Directory?

Well, you can either extend your Active Directory Schema for Exchange, which is not something that you can easily roll back if something goes wrong and arguably adds a ton of attributes that likely will be never used.  Or, you can simply create a custom sync rule within Azure AD Connect that flows the value from a different attribute.

This article will go over how to sync a custom attribute from on-premises to Azure AD to hide a user from the GAL, without the need of extending your Active Directory schema.  In this case, we are going to use an attribute called msDS-cloudExtensionAttributeX (where X is the number of the attribute that is free/not being used within your directory).  The msDS-cloudExtensionAttribute(s) were introduced in Windows Server 2012 and has 20 different numbers to allow flexibility for these types of scenarios.  Now some customers may gravitate towards using a different attribute like showInAddressBook.  The problem with the showInAddressBook is this attribute is referenced by very old versions of Exchange (which I’m sure people would never be running 😉 ) and is looking for the format of the common name of an object (not what we want).  In this case, easiest way to move forward is to simply use the msDS-cloudExtensionAttributes.

Step 1: Scope in the msDS-cloudExtensionAttribute for Azure AD Connect

Open the Azure AD Connect Synchronization Service

Navigate to the Connectors tab, select your Active Directory (not the entry), and select Properties

In the top right, click on Show All, scroll down and find msDS-CloudExtensionAttribute1 (you can use any of the numbers 1-20, just make sure to check the box you are using), and select OK

Step 2: Create a custom sync rule

Open up the Azure AD Connect Synchronization Rules Editor

Click on the Add new rule button (make sure direction in the top left shows Inbound)

Enter the following for the description:

Name: Hide user from GAL
Description: If msDS-CloudExtensionAttribute1 attribute is set to HideFromGAL, hide from Exchange Online GAL
Connected System: Your Active Directory Domain Name
Connected System Object Type: user
Metaverse Object Type: person
Link Type: Join
Precedence: 50 (this can be any number less than 100.  Just make sure you don’t duplicate numbers if you have other custom rules or you’ll receive a dead-lock error from SQL Server)

Click Next > on Scoping filter and Join rules, those can remain blank

Enter the following Transformation page, click the Add transformation button, fill out the form with the values below, and then click Add
FlowType: Expression
Target Attribute: msExchHideFromAddressLists



Step 3: Perform an initial sync

Open up Windows PowerShell on the Azure AD Connect Server

Execute the following command: Start-ADSyncSyncCycle -PolicyType Initial

Step 4: Hide a user from Active Directory

Open Active Directory Users and Computers, find the user you want to hide from the GAL, right click select Properties

Select the Attributes Editor tab, find msDS-cloudExtensionAttribute1, and enter the value HideFromGAL (note, this is case sensitive), click OK and OK to close out of the editor. 

Note: if you don’t see the Attribute Editor tab in the previous step, within Active Directory Users and Computers, click on View in the top menu and select Advanced Features

Step 5: Validation

Open the Azure AD Connect Synchronization Service

On the Operations tab, if you haven’t seen a Delta Synchronization, manually trigger the Delta sync to pick up the change you made in Active Directory


Select the Export for the connecter and you should see 1 Updates

Select the user account that is listed and click Properties.  On the Connector Space Object Properties, you should see Azure AD Connect triggered an add to Azure AD to set msExchHideFromAddressLists set to true

There ya have it!  An easy way to hide users from the GAL with minimal risk to ongoing operations.  Due to the way Azure AD Connect upgrades, our sync rule will persist fine during regular updates/patches released.

19 thoughts on “How to hide users from the GAL in Office 365 synchronized from on-premises

  1. gdogg121


    I tried this. I also ran a manual Address List update using PowerShell by giving myself the Address List Manager role.

    Still, I see the people I’ve hidden on the GAL.

    I tried asking for a new Offline Address Book on the Outlook side. Nothing seems to happen the people are not hidden.

    Your steps have helped me create a transform rule so I am seeing that the attribute in question is being applied but they don’t actually disappear.

    Is there anything I am doing wrong? Also, I don’t know if this matters but we are using AAD Sync in Staging Mode.

    1. Jack Post author

      Stage mode will only prep the changes, it won’t commit them to azure. You’d need to disable staging mode if you want the changes to take affect in the cloud.

      1. gdogg121

        Hello Jack,

        Thanks for the response. Interestingly, this change only worked with one user of ours.

        I think the initial sync command needs to be re-run after I did all these users because we are stuck in staging mode.

        My order of operations was exactly as yours. The test user worked but all other users failed.

        Let me run the initial sync and demo this to my manager and we can move the server off staging mode.

          1. gdogg121

            I have run the two sync commands. Yet nothing propogated to the EOP. I still see the check box to hide from address lists as unmarked. Yet my one lone user from yesterday is still good. I guess I’ll just wait it out and see if it goes through.

            Interesting that one person works in staging even and all else not updated yet. I’ll wait and see or ask to move off staging.

            Thank you

  2. gdogg121

    Hey Jack,

    Sorry to spam your post! Thanks for your help with this.

    I just found out: If the user doesn’t have E3 or E1 assigned Exchange Online Portal wont’t touch that attribute. If I give them E3 or E1 then they are good and the change goes through.

    Do you think this might be a staging issue? Have you seen this weird limitation?

  3. Jeff West

    Great post and looks like it will solve my issue. But I am getting an error when I try to make the rule. Here is the error:
    Invalid character ” encountered in expression ‘IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]=”HideFromGAL”,True,False),NULL)’

    Any idea what is causing this?


    1. Jack Post author

      This is caused from copying/pasting from the website. The “s and ‘s turn into extended ASCII characters, which Azure AD Connect cannot process. Copying and pasting this into notepad and retyping those characters will fix this. In addition, I’ve updated the website to try and not present those characters so it’s easier to copy/paste moving forward.

      Thanks for the feedback!

  4. Khurram Irshad


    I have a problem that the version that is installed on my environment of azure connect does not have connectors tab from which i select msDS-CloudExtensionAttribute1, please guide me that which version i can install so that the option of connectors is available.


    1. Jack Post author

      Try logging out of Windows and logging back in if you don’t see any rules within the Rules Editor. A fresh installation of Azure AD Connect doesn’t have a chance to etch the security groups added by the program to your Kerberos token, so logging out and back into Windows will give you the right access to open the tool.

  5. Ralf Scholl

    Hi Jack,
    even if you have the msExchHideFromAddressLists attribute in Active Directory and you set the value to true, it won’t be synced.
    You have to add a new rule for OUTBOUND!
    Most of the Steps a equal to yours – here are only the changes
    Azure AD Connect Synchronization Rules Editor
    Select Direction: Outbound
    Add new rule
    Connected System: – AAD
    FlowType: Direct
    Target Attribute: msExchHideFromAddressLists
    Source: msExchHideFromAddressLists

    1. Jack Post author

      Good call out–for whatever reason this was removed in after a few versions once Azure AD Connect was rebranded from Azure AD Sync. Good piece of documentation for those that do have the schema extended and can use the attribute.

      For clarification for others, please note this step is not required per the article. If your environment had the msExchHideFromAddressLists (you had extended your schema) then you can disregard the above article and simply add this rule.

  6. Peter

    You’re the real deal, I just wanted to thank you (Muchas Gracias). I followed all steps and everything works as expected.

    Important: Do not choose : – AAD only your local AD.

  7. Taavi

    Thank you so much, very very helpful step by step guide.
    Shame that Microsoft doesn’t provide any easier solutions and i am not gonna install Exchange onprem for that..

  8. Charles

    This is fantastic, I’ve been looking for a way to do this for weeks, though I mostly need to hide an on prem mail-enabled security group that doesn’t have the msDS-CloudExtensionAttribute1 fields, can I grab another attribute we aren’t using and do a similar link using that or will it only work with the CloudExtensionAttributes? Thank you!

    1. Jack Post author

      Haven’t tested mail-enabled security groups, but in theory, yes you could take the same approach to flow the attribute.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.