Hiding from the GAL (Global Address List): A Step-by-Step Guide for AD and Azure AD Sync Ninjas

Sometimes, certain accounts just don’t belong in the Global Address List (GAL). Whether it’s a service account, a test user, or something you don’t want anyone emailing, hiding it is the way to go. If you're syncing Azure AD with on-premises AD, there are a few steps to make this happen properly.

Let’s get straight to it.

What You’ll Need

• Active Directory (AD) Sync with Azure AD: Already set up and working.
• Active Directory Administrative Tools: ADUC (Active Directory Users and Computers) with Attribute Editor enabled.
• Permissions: You’ll need rights to modify user attributes.

Step-by-Step Guide

Step 1: Open Active Directory Users and Computers (ADUC)

• Launch ADUC on a domain controller or management server.
• If you don’t see the Attribute Editor tab, enable Advanced Features under the View menu.

Step 2: Locate the User or Service Account

• Find the account you want to hide.
• Right-click the account and select Properties.

Step 3: Set the mailNickname Attribute

• In the Attribute Editor tab, locate the mailNickname attribute.
  (If it’s missing, something’s wrong with your schema or setup—fix that first.)
• Set the mailNickname value to match the sAMAccountName.
  Example: If the sAMAccountName is TestUser, set mailNickname to TestUser.

This step is mandatory to ensure the account syncs correctly with Azure AD and Exchange.

Step 4: Set msExchHideFromAddressLists

• Still in the Attribute Editor, locate the msExchHideFromAddressLists attribute.
• Set its value to TRUE.
  This tells Exchange to hide the account from the GAL.

Step 5: Apply Changes and Close

• Click OK to save your changes and close the properties window.
• Your on-premises AD is now configured, but the changes need to sync to Azure AD.

Step 6: Sync Changes to Azure AD

Option 1: Perform a Delta Sync

Run this PowerShell command on your Azure AD Connect server to sync recent changes:

Start-ADSyncSyncCycle -PolicyType Delta

Option 2: Perform a Full Sync

If the changes don’t appear or you suspect sync issues, run a full sync:

Start-ADSyncSyncCycle -PolicyType Initial

Step 7: Verify the Changes

• Test the GAL: Open Outlook or any tool that displays the GAL and search for the account. It should no longer appear.
• Check Azure AD: Log in to the Azure AD portal and confirm that msExchHideFromAddressLists and mailNickname values are correctly synced.

Troubleshooting

• Account Still Visible in the GAL?
  • Double-check that:
    • msExchHideFromAddressLists is set to TRUE.
    • mailNickname is set correctly to match sAMAccountName.
  • Verify that Azure AD Connect is syncing without errors.
• Attribute Editor Missing?
  • Enable Advanced Features in ADUC under the View menu.
• Sync Issues?

Restart the sync service and run a full sync:

Start-Service ADSync
Start-ADSyncSyncCycle -PolicyType Initial

By this time, you’ll have your account hidden from the GAL while keeping everything functional in both AD and Azure AD. Setting the mailNickname attribute to match sAMAccountName is a critical step—don’t skip it! Don't ask me why..

Now go forth and declutter your GAL like the true sys admin pro you are. Cheers!