How to Hide Users and Groups from the Global Address List on Exchange/Office 365?

In this article, we’ll look at how to hide a user or distribution group from the Exchange Global Address List (GAL). This guide applies to both the cloud Exchange Online (Microsoft 365) tenant and on-premises Exchange Server 2019/2016/2013, and 2010 organizations.

Hide Groups and Users from Exchange or Office 365 GAL

In Exchange Online (Microsoft 365) and on-prem Exchange Server, all users, contacts, and distribution groups are automatically added to the organization’s address book. Any user can see all mail users and groups in their organization in Outlook, as well as their membership.

You can hide any user or group from the Exchange address book by using the Hide from address list option. This option can be enabled in the user’s properties through the Exchange Admin Center (EAC).

Or using PowerShell. Connect to your on-prem Exchange Server or Exchange Online tenant (using the EXO v2 PowerShell module).

To hide a user in the GAL, run:

Set-Mailbox -Identity jsmith -HiddenFromAddressListsEnabled $true

You can display all users hidden from the address book:

Get-Mailbox -ResultSize Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $True} | Select DisplayName,UserPrincipalName, HiddenFromAddressListsEnabled

Similarly, you can hide other types of objects from the address list:

• Contacts: Set-MailContact ext24Support -HiddenFromAddressListsEnabled $true
• Mail-enabled universal distribution and security groups: Set-DistributionGroup global_support -HiddenFromAddressListsEnabled $true
• Exchange Dynamic Distribution Lists: Set-DynamicDistributionGroup nySales -HiddenFromAddressListsEnabled $true
• Microsoft 365 Groups: Set-UnifiedGroup groupname1 -HiddenFromAddressListsEnabled:$true

Users and groups will be hidden from the address book after the GAL is updated (may take up to 24 hours).

The following command will list all hidden objects in the address book:

Get-Recipient -ResultSize unlimited -Filter 'HiddenFromAddressListsEnabled -eq $true'
To export the Exchange address book to a CSV file, run:

Get-Recipient -RecipientPreviewFilter $filter | Where-Object {$_.HiddenFromAddressListsEnabled -ne $true} | Select-Object Name,PrimarySmtpAddress, Phone | Export-CSV c:\ps\GAL_except_hidden.csv –NoTypeInformation

You can use a simple PowerShell script to hide disabled users from the Address List:

$mailboxes = get-user | where {$_.UserAccountControl -like '*AccountDisabled*' -and $_.RecipientType -eq 'UserMailbox' } | get-mailbox  | where {$_.HiddenFromAddressListsEnabled -eq $false}
foreach ($mailbox in $mailboxes) {Set-Mailbox -HiddenFromAddressListsEnabled $true -Identity $mailbox}

In Exchange Online, you can use the following command to find disabled user mailboxes:

Get-MailBox -filter {ExchangeUserAccountControl -eq 'AccountDisabled' -and RecipientType -eq 'UserMailbox' -and RecipientTypeDetails -ne 'SharedMailbox' }

Hide Users in Address Book when Using Azure AD Connect

If user mailboxes are hosted in Exchange Online (Microsoft 365), and user accounts are synchronized from on-premises Active Directory (via Azure AD Connect), you won’t be able to enable the HiddenFromAddressListsEnabled attribute in user settings in Office 365 tenant. If you try to do this via EAC, an error will appear:

The operation on mailbox failed because it’s out of the current users’s write scope. The action ‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

According to this error, the msExchHideFromAddressLists option must be enabled for the user in the local Active Directory and not on the Azure side. The easiest way is to use the Set-ADUser cmdlet from the AD PowerShell module:

Set-ADUser jsmith -Add @{msExchHideFromAddressLists="TRUE"}

After syncing a user to Azure and updating the GAL, the user’s email address will be hidden in the Office 365 address book.

The following command will list all disabled users that are not yet hidden:

Get-ADUser  -Filter {(enabled -eq "false") -and (msExchHideFromAddressLists -notlike "*")}  -Properties enabled,msExchHideFromAddressLists

How to Hide Users from Exchange Distribution Group?

By default, Outlook and OWA users can view the list of members of the Distribution Group in your Exchange organization. You can prevent the membership of a distribution group from being displayed in the Outlook Global Address List. This can be achieved by using the hideDLMembership attribute of Active Directory groups. This attribute prohibits expanding the list of users in a distribution group.

You can enable the hideDLMembership attribute in the group properties in the Active Directory Users and Computers (ADUC) console:

1. Open the ADUC console (dsa.msc);
2. Enable the Advanced Features option in the View menu;
3. Manually find a Distribution or a Mail-Enabled Security Group;
   Tip. Don’t use AD search, since there will be no Attribute Editor tab in the group properties.
4. Open the properties of the necessary group and go to the Attribute Editor tab;
5. Find the hideDLMembership attribute and change its value to True. Save the changes.

The changes you have made will take effect after Exchange regenerates the Global Address List or Offline Address Book, and Outlook users download it.

As a result, the list of users in the distribution list will no longer be displayed in the Outlook Address Book properties window. The same is true for OWA.

And when you try to expand a distribution list in Outlook, an error will appear:

Cannot perform the requested operation. The command selected is not valid for this recipient. The operation failed.