msexchhidefromaddresslist attribute missing

Question

msexchhidefromaddresslist attribute missing

MasTer 0

Environment is having 2 on premise AD. One AADconnect server. Then Azure AD and Office 365. We do not have exchange on premise. But all the users are still created in on premise. So terminated or disabled users in AD is still showing up in exchange online address list. As we do not have msexchhidefromaddresslist and mailnickname attributes present in AD, we cannot hide those disabled users from address list.

Custom rule created in AADconnect to sync from custom attribute to hidefromaddresslist in Azure AD. Still does not work.

Name: Hide user from GAL Description: If msDS-CloudExtensionAttribute1 attribute is set to HideFromGAL, hide from Exchange Online GAL Connected System: Your Active Directory Domain Name Connected System Object Type: user Metaverse Object Type: person Link Type: Join Precedence: 50

Click Next > on Scoping filter and Join rules, those can remain blank

Enter the following Transformation page, click the Add transformation button, fill out the form with the values below, and then click Add FlowType: Expression Target Attribute: msExchHideFromAddressLists Source:

IIF(IsPresent([msDS-cloudExtensionAttribute1]),IIF([msDS-cloudExtensionAttribute1]="HideFromGAL",True,False),NULL)

Now perform an initial sync

Start-ADSyncSyncCycle -PolicyType Initial

Hide the user from AD by setting the attribute

Select the Attributes Editor tab, find msDS-cloudExtensionAttribute1, and enter the value HideFromGAL (Note: The valude must be exactly the same as defined in the AD Connect Rule, case sensitive), click OK and OK to close out of the editor.

Continue with a AD Connect DELTA Sync:

Start-ADSyncSycnCycle -PolicyType Delta

Still it does not sync and this msDS-cloudExtensionAttribute1 is a sync enabled attribute.

I would like to know any other method is there.

I think the next option is to run prepareschema and preparead using exchange server setup. I do not know which exchange version set up to download and run, also if we want to remove those attribute in future, how do I do that?

Anonymous

2025-04-01T05:35:58.3566667+00:00

Hi @MasTer,

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

1 answer

Your answer

Anonymous

2025-04-01T05:35:58.3566667+00:00

Hi @MasTer,

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Answer 1

Anonymous

Hi @MasTer,

Thank you for posting your question in the Microsoft Q&A forum.

Based on your description, your question is how to synchronize information about disabled or departed users to Azure AD by configuring AD Connect to hide these users in the GAL of Exchange Online.

In your Active Directory (AD) environment, only the default properties from the AD installation currently exist and do not yet contain Exchange-related properties, so it is normal to not be able to find specific Exchange parameters.

In fact, it is possible to add the required Exchange attributes without installing an Exchange server, but by performing a schema extension. It is important to note that the schema extension itself is safe, but it must be performed by an administrator with appropriate privileges. It is important to note that once the schema extension has been completed, it cannot be fully rolled back, however, you can choose to stop using the newly added attributes at a later date.

To resolve this issue, you will need to run PrepareSchema and PrepareAD, and once you have done so, your AD environment will have the appropriate Exchange properties (see below). Detailed information on preparing AD and domains can be found in the documentation: Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange Server Active Directory. Exchange 2019 Active Directory | Microsoft Learn

User's image

After you have successfully added the attributes, you can set them with the help of the ADSI editing tool, or by using PowerShell commands. Subsequently, synchronize these settings to Azure AD via the AD Connect tool, thus achieving the goal of hiding users in the address list.

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.

MasTer 0 Reputation points

2025-03-19T09:13:15.73+00:00

Hi,

Thank you. Do I need to add E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"Contoso Corporation" oragnization name? We do not have exchange on premise. We only have office 365. Here how would I find out the organization name? Is it the on premise AD domain name? Also can you tell me why the rules are not working?
MasTer 0 Reputation points

2025-03-19T09:14:59.1766667+00:00

Hi,

Thank you. Also let me know if mailnickname attribute is also manadatory? If yes, why? Please also let me know if we did not go for ad schema expansion and removed the proxy addresses mentioned for the disabled users, will it also hide the users from office 365 address list?
Anonymous

2025-03-20T09:08:31.6233333+00:00
Hi @MasTer,

Thank you for your response and I will answer your questions one by one.

If you install a new Exchange organization, you will need to choose a name for the Exchange organization. The organization name is used internally by Exchange, is not typically seen by users, does not affect the functionality of Exchange, and does not determine what you can use for email addresses. This is a custom name that you can fill in as you wish.

the rule you set up previously did not take effect because your original Active Directory (AD) environment did not yet contain Exchange-related attributes and you could not set or change the attributes by customizing the rule alone. the changes in Azure AD are dependent on the local AD attributes being changed. The local AD properties have not been changed in your previous operation, so naturally the cloud state will not change based on this.

Yes, the mailnickname attribute is mandatory. This is because the Exchange synchronization rule controls the “msExchHideFromAddressLists” attribute by default, but the filter for this rule requires that the “mailNickname” attribute be not be empty. Without this attribute, the object will not be recognized as an Exchange recipient, and therefore all Exchange-related rules will be skipped.

If you remove the Proxy Addresses of disabled users without extending the AD schema, these users are not automatically hidden from the Office 365 address list. This is because Proxy Addresses are primarily used for email routing and alias management, rather than controlling the visibility of users in address lists.

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.
MasTer 0 Reputation points

2025-03-21T11:48:50.4566667+00:00

After adding what are the next steps to make sure that these attributes are synchronized to azure ad. Do I need to create another sync rule? if yes, share me the rule configurations please.
Anonymous

2025-03-24T08:25:20.85+00:00

Hi @MasTer,

Thank you for your response.

Please open the Synchronization Rule Editor to see if the MsExchHideFromAddressLists property is already included. If it is present, there is no need to create additional synchronization rules. If it is not present, you need to add the mapping manually by following the link below.

msExchHideFromAddressLists attribute isnt syncing across to Azure | Microsoft Learn

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.
MasTer 0 Reputation points

2025-03-26T06:07:15.54+00:00

Thank you. I see the article. Any specific powershell command to metaverse search method to get the rule name where this msexchaddresslist parameter involved?
Anonymous

2025-03-27T09:23:42.5366667+00:00

Hi @MasTer,

Thank you for your response.

Unfortunately, I didn't find the commands related to this in the official documentation. However, the following article will hopefully help you by creating a script to display the attribute names for AD, Metaverse and AAD.

How to Extract Azure AD Connect Attribute Mapping - Easy365Manager

Please note that the URL provided above is for a three-way connection. The content and information updates in the pages are not under the control of Microsoft and are provided for immediate informational purposes only. Microsoft is not responsible, directly or indirectly, for errors, inaccuracies, or mistakes in the information it provides. Please understand that. Please ensure that you adopt it with a full understanding of its risks.

If the answer is helpful, please click on “Accept answer” as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

Thank you for your support and understanding.

Share via

msexchhidefromaddresslist attribute missing

1 answer

Your answer