Hiding Mailboxes from Global Address List Using Entra ID Connect

This guide explains how to configure Entra ID Connect to automatically hide mailboxes from the Global Address List (GAL) in Exchange Online based on an on-premises Active Directory attribute.

Alternative: Cloud-Managed Attribute

If you don't need to manage GAL visibility from on-premises AD, you can use Exchange Online's native feature:

Set-Mailbox -Identity user@domain.com -HiddenFromAddressListsEnabled $true -IsExchangeCloudManaged $true

This changes the source of authority to Exchange Online, avoiding sync conflicts. Use the method below if you need centralized management from on-premises AD.

Prerequisites

• Entra ID Connect is installed and configured
• Administrative access to the Entra ID Connect server
• Administrative access to on-premises Active Directory
• Administrative access to Exchange Online PowerShell

Configuration Steps

Step 1: Open Synchronization Rules Editor

1. Log into your Entra ID Connect server
2. Launch Synchronization Rules Editor
3. Click Add new rule to create a custom sync rule

Step 2: Configure Rule Description

Property	Value
Name	HideFromGAL Mapping
Description	Map msDS-cloudExtensionAttribute1 to msExchHideFromAddressLists
Connected System	Select your on-premises Active Directory connector
Connected System Object Type	user
Metaverse Object Type	person
Link Type	Join
Precedence	100 (must be lower than default Exchange rules)

Precedence Value

Set precedence to a value lower than default Exchange sync rules (typically below 100). Lower numbers = higher priority.

Leave unchecked: - Enable Password Sync - Disabled

Step 3: Configure Scoping Filter

1. Click Add Group
2. Click Add Clause
3. Configure the clause:
4. Attribute: msDS-cloudExtensionAttribute1
5. Operator: ISNOTNULL

Step 4: Configure Transformations

1. Click Add transformation
2. Configure the transformation:
3. Flow Type: Expression
4. Target Attribute: msExchHideFromAddressLists
5. Source: IIF([msDS-cloudExtensionAttribute1] = "HideFromGAL", True, False)
6. Apply Once: Unchecked
7. Merge Type: Update

Step 5: Save and Synchronize

1. Click OK to save the sync rule
2. Run a full synchronization:

Start-ADSyncSyncCycle -PolicyType Initial

Step 6: Verify Configuration

# Check a specific mailbox
Get-Mailbox -Identity "user@domain.com" | Select-Object DisplayName, HiddenFromAddressListsEnabled

# Check all hidden mailboxes
Get-Mailbox -ResultSize Unlimited | Where-Object {$_.HiddenFromAddressListsEnabled -eq $true} | Select-Object DisplayName, PrimarySmtpAddress

Setting the Attribute in Active Directory

Using PowerShell

# Hide a user from GAL
Set-ADUser -Identity "username" -Add @{"msDS-cloudExtensionAttribute1"="HideFromGAL"}

# Show a user in GAL (remove attribute)
Set-ADUser -Identity "username" -Clear msDS-cloudExtensionAttribute1

# Verify the attribute
Get-ADUser -Identity "username" -Properties msDS-cloudExtensionAttribute1 | Select-Object Name, msDS-cloudExtensionAttribute1

Using Active Directory Users and Computers

1. Open Active Directory Users and Computers
2. Enable Advanced Features (View menu)
3. Right-click the user → Properties
4. Go to the Attribute Editor tab
5. Find msDS-cloudExtensionAttribute1
6. Set the value to: HideFromGAL
7. Click OK and wait for the next sync cycle

Bulk Operations

# Hide all users in a specific OU
Get-ADUser -SearchBase "OU=Service Accounts,DC=contoso,DC=com" -Filter * | 
    Set-ADUser -Add @{"msDS-cloudExtensionAttribute1"="HideFromGAL"}

# Hide users from a CSV file
$users = Import-Csv -Path "C:\users_to_hide.csv"
foreach ($user in $users) {
    Set-ADUser -Identity $user.SamAccountName -Add @{"msDS-cloudExtensionAttribute1"="HideFromGAL"}
}

# Trigger sync after bulk changes
Start-ADSyncSyncCycle -PolicyType Delta

Troubleshooting

Changes Not Appearing in Exchange Online

Solutions: - Verify the sync rule is active in Synchronization Rules Editor - Run a full sync: Start-ADSyncSyncCycle -PolicyType Initial - Check Entra ID Connect sync errors in Synchronization Service Manager - Verify the attribute value is exactly "HideFromGAL" (case-sensitive) - Wait 15-30 minutes for changes to propagate

Sync Rule Not Taking Effect

Solutions: - Check the precedence value is lower than existing Exchange rules - Verify the scoping filter is correct - Ensure the Connected System matches your AD connector name - Review sync rule order in Synchronization Rules Editor

Sync Cycle Fails

Solutions: - Check expression syntax in the transformation - Review sync errors in Event Viewer (Application log) - Verify Entra ID Connect service is running - Review logs in: C:\ProgramData\AADConnect\trace-*.log

Related Documentation

• Entra ID Connect Sync: Understanding the Default Configuration
• Entra ID Connect Sync: Understanding Declarative Provisioning Expressions
• Hide mailboxes from Exchange Online address lists

---

This guide applies to Entra ID Connect (formerly Azure AD Connect) in hybrid Exchange environments.