Forum Discussion

Evan Mann's avatar
Evan Mann
Copper Contributor
Oct 30, 2018

Office 365 Group write back - hide in on-prem GAL

Latest version of AADC in use with group writeback enabled. After AADC creates the O365 Groups in AD, I run update-recipient on the group to give it mail attributes so it can be used by on-prem mail users.

 

I've created Office 365 Groups and hidden them from the GAL using  set-unifiedgroup "group@domain.com" -HiddenFromAddressListsEnabled $True and this works to hide the O365 Group from cloud mailboxes.

 

The problem is that on-prem mailboxes are still able to see the Office 365 Group in the GAL.  If I modify the group in AD and set msExchHidefromAddressLists  to TRUE than on-prem users no longer see the O365 Group in the GAL, BUT, on the next AADC Sync, the msExchHidefromAddressLists attribute is overwritten and set back to <not set>

 

In reviewing sync rules, the Inbound rule named "Out to AAD - Group SOAinAAD" does NOT include msExchHidefromAddressLists  int he transformations, so this attribute is never getting into metaverse for any O365 Group objects.  To try and address this issue I modified a custom version of this rule and added a transformationf or msExchHidefromAddressLists and did a full sync but this attribute never comes intot he Metaverse on O365 Group objects.  I've tried a number of different ways to make this work but none do.  

 

This seems like some kind of bug as there is an Outbound rule named "Out to AD - Group SOAinAAD" includes the msExchHidefromAddressLists  attribute in it.  This implies MSFT intends for this setting to push from AAD to AD, but since the Inbound rule doesn't have this attribute (nor can I get it to work by manually adding it), the "hide in GAL" setting of an O365 Group set in the cloud can never come down to AD.

 

AADC
Office 365 Groups
  • Geseronta's avatar
    Geseronta
    Copper Contributor
    Feb 02, 2022

    Evan Mann did you ever find a solution to this? I am finding the same behavior, the 365 unified groups are hidden from cloud mailboxes but not on-prem

     

    TG

    • Evan Mann's avatar
      Evan Mann
      Copper Contributor
      Feb 02, 2022

      Geseronta 

       

      No resolution on behalf of Microsoft, even with AADC 2.0 release.

       

      I implemented my own solution with a custom sync rule that looks for something in the Unified Group data to be able to trigger the group to be hidden on-prem. I copied one of the existing "Out to AD" rules as a starting point.

       

      The logic I used is based on the description of the Unified Group as set in the cloud.  In my case I'm looking for the description to "end with" the word "Hidden".  As an example, if the group description is "My IT Group - Hidden" than this rule matches.  I chose to do it this way because there may have been some reason I wanted some Unified Groups hidden in on-prem AD and others not to be hidden.

       

      Description
      Connected System = on-prem AD domain
      Connected System Object Type = group
      Metaverse Object Ty[e = group
      Link Type = Join
      Precedence = 50

       

      Scoping Filter
      Attribute = cloudMsatered

      Operator = EQUAL

      Value = TRUE

       

      Attribute = description

      Operator = ENDSWITH

      Value = Hidden

      Transformations

      FlowType = Constant

      Target Attribute = msExchHideFromAddressList

      Source = true

      Merge Type = update

       

      You can adapt your Scoping filter as needed based on your desires.  If you wanted every Unified Group to be hidden on-prem, you can just use cloudMastere EQUAL true for the scope and nothing else and that should do it.

Resources