cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Office 365 Group write back - hide in on-prem GAL

Evan Mann
Copper Contributor

‎Oct 30 2018 07:05 AM

‎Oct 30 2018 07:05 AM

Office 365 Group write back - hide in on-prem GAL

Latest version of AADC in use with group writeback enabled. After AADC creates the O365 Groups in AD, I run update-recipient on the group to give it mail attributes so it can be used by on-prem mail users.

 

I've created Office 365 Groups and hidden them from the GAL using  set-unifiedgroup "group@domain.com" -HiddenFromAddressListsEnabled $True and this works to hide the O365 Group from cloud mailboxes.

 

The problem is that on-prem mailboxes are still able to see the Office 365 Group in the GAL.  If I modify the group in AD and set msExchHidefromAddressLists  to TRUE than on-prem users no longer see the O365 Group in the GAL, BUT, on the next AADC Sync, the msExchHidefromAddressLists attribute is overwritten and set back to <not set>

 

In reviewing sync rules, the Inbound rule named "Out to AAD - Group SOAinAAD" does NOT include msExchHidefromAddressLists  int he transformations, so this attribute is never getting into metaverse for any O365 Group objects.  To try and address this issue I modified a custom version of this rule and added a transformationf or msExchHidefromAddressLists and did a full sync but this attribute never comes intot he Metaverse on O365 Group objects.  I've tried a number of different ways to make this work but none do.  

 

This seems like some kind of bug as there is an Outbound rule named "Out to AD - Group SOAinAAD" includes the msExchHidefromAddressLists  attribute in it.  This implies MSFT intends for this setting to push from AAD to AD, but since the Inbound rule doesn't have this attribute (nor can I get it to work by manually adding it), the "hide in GAL" setting of an O365 Group set in the cloud can never come down to AD.

 

Labels:
3,872 Views
0 Likes
2 Replies
Reply
2 Replies
Geseronta

‎Feb 02 2022 08:31 AM

‎Feb 02 2022 08:31 AM

Re: Office 365 Group write back - hide in on-prem GAL

@Evan Mann did you ever find a solution to this? I am finding the same behavior, the 365 unified groups are hidden from cloud mailboxes but not on-prem

 

TG

0 Likes
Reply
Evan Mann

‎Feb 02 2022 08:57 AM

‎Feb 02 2022 08:57 AM

Re: Office 365 Group write back - hide in on-prem GAL

@Geseronta 

 

No resolution on behalf of Microsoft, even with AADC 2.0 release.

 

I implemented my own solution with a custom sync rule that looks for something in the Unified Group data to be able to trigger the group to be hidden on-prem. I copied one of the existing "Out to AD" rules as a starting point.

 

The logic I used is based on the description of the Unified Group as set in the cloud.  In my case I'm looking for the description to "end with" the word "Hidden".  As an example, if the group description is "My IT Group - Hidden" than this rule matches.  I chose to do it this way because there may have been some reason I wanted some Unified Groups hidden in on-prem AD and others not to be hidden.

 

Description
Connected System = on-prem AD domain
Connected System Object Type = group
Metaverse Object Ty[e = group
Link Type = Join
Precedence = 50

 

Scoping Filter
Attribute = cloudMsatered

Operator = EQUAL

Value = TRUE

 

Attribute = description

Operator = ENDSWITH

Value = Hidden

Transformations

FlowType = Constant

Target Attribute = msExchHideFromAddressList

Source = true

Merge Type = update

 

You can adapt your Scoping filter as needed based on your desires.  If you wanted every Unified Group to be hidden on-prem, you can just use cloudMastere EQUAL true for the scope and nothing else and that should do it.

0 Likes
Reply