Hide groups synced by Azure AD Connect (O365)

Read more

When you are syncing local Active Directory groups to Microsoft Office365 using Azure AD Connect, you can hide groups from Outlook’s Global Address List (GAL) by setting “Hide group from Exchange address lists”. This is the same as setting the attribute msExchHideFromAddressLists to True.


group synced by Azure      group synced by Azure


This method works, but it requires that the Exchange schema is added to your Active Directory. Without the Exchange schema, the msExchHideFromAddressLists attribute will not be available.

If you migrated all your mail servers out to O365, you probably prefer an Active Directory without the Exchange schema. If that’s your situation, you are stuck; you either install the Exchange schema, or accept that synced groups can’t be hidden in the GAL.
I recently came across this situation at a customer, but was able to solve this with some “Azure AD Connect trickery”:

  • This customer named its groups according to best practices, allowing me to filter visibility based on the group name. The client wanted its Global-Groups (GG_*) to be synced to O365, but they should not be visible in address lists.
  • The solution was to add an additional transformation-expression to the inbound synchronization rule in Azure AD Connect. This expression sets the msExchHideFromAddressLists attribute, if the name of the group starts with “GG_”.

group synced by Azure

Expression: CBool(Left([cn],3)=”GG_”)

You can use other expressions as well and be as creative as you can. An extensive description of the available functions can be found here.