msExchHideFromAddressLists

How to configure msExchHideFromAddressLists

msExchHideFromAddressLists is an attribute in Active Directory (AD) used on users, groups, and contacts to control visibility in address lists.

Later we’ll look at how to configure it via PowerShell, but for now, let’s do it the easy way!

Hide From Address Lists Using AD Users & Computers

By far, the easiest way to configure msExchHideFromAddressLists (and any other AD mail attributes, for that matter) is using Easy365Manager.

With Easy365Manager, you don’t have to switch between multiple admin tools: Everything is possible in the AD Users & Computers tool due to the extra tabs on user and group properties.

To modify the msExchHideFromAddressLists for a mailbox, open up user properties and go to the mailbox tab:

Check the “Hide from address lists” checkbox and click OK to commit the change.

(for faster replication to Office 365, select the “Synchronize AD with Office 365” checkbox before committing the change)

You can download a fully functional 30-day trial of Easy365Manager here.

The Easy365Manager trial is a simple .dll extension to Active Directory Users & Computers and makes no changes to your schema or infrastructure.

Hide From Address Lists Using Exchange On-Premises

Without Easy365Manager, you need to run Exchange on-premises to have easy GUI access to this attribute.

You’ll need to perform the tedious steps of  logging into Exchange on-premises, selecting recipients, selecting mailboxes, opening the mailbox properties, and checking the “Hide from address lists” checkbox:

Configure hide from address lists using Exchange On-premises

Exchange on-premises carries a lot of direct and indirect costs and is a frequent target of zero-day exploits as seen with the extensive Hafnium attack first half of 2021.

With Easy365Manager you can retire Exchange on-premises including all the cost and risk associated with it.

Hide From Address Lists Using PowerShell

If you want to automate the process of hiding your user or group from address lists, you should use PowerShell.

For that, you need the ActiveDirectory Module for PowerShell. This module is part of RSAT (Remote Server Administration Tools) which you must activate (or download depending on your OS version). The module is available on domain controllers by default.

The msExchHideFromAddressLists attribute is a nullable boolean, meaning you can set it to true, false, or null.

Use the following command to unhide a group from address lists:

Set-ADObject "CN=Marketing,OU=GigaCorp_Groups,DC=gigacorp,DC=local" -Replace @{msExchHideFromAddressLists=$false}

The advantage of using Set-ADObject is that you can use it for any type of object. For example, you can run this command against a user, a group or a contact object.

The potential problem using Set-ADObject is that the identity must be either the distinguishedName (as seen in the above example) or the objectGUID.

If you only remember the sAMAccountName attribute, you can still use Set-ADObject with this small workaround:

Get-ADObject -LDAPFilter "(sAMAccountName=Marketing)" | Set-ADObject -replace @{msExchHideFromAddressLists=$false}

If you want to take an object-specific approach, you can use Set-ADUser or Set-ADGroup. Both of these commands will accept sAMAccountName as identity parameter:

Set-ADGroup Marketing -Replace @{msExchHideFromAddressLists=$false}

Finally, to clear (null) the value from the msExchHideFromAddressLists attribute, use the following command:

Set-ADGroup Marketing -Clear msExchHideFromAddressLists

Consolidated AD and Office 365 Management

If you find yourself working with many different technologies every day, you probably wouldn’t mind reducing some of the complexity.

Easy365Manager consolidates your AD and Office 365 management which provides a lot of benefits:

  • You don’t need to speculate about attribute authority (Easy365Manager will write to AD/Office 365 as needed)
  • You don’t need to switch between multiple web consoles  and PowerShell (everything is managed out of AD Users & Computers)
  • You can remove your on-premises Exchange Server (giving you 100% protection from future zero-day exploits targeting Exchange on-premises)

Easy Delegation of Semi-Complex Tasks

Even admins who work full-time focusing on AD and Office 365 can find a lot of benefits in running Easy365Manager.

With Easy365Manager, you can easily delegate semi-complex tasks like calendar permission configuration to your first-level support.

With Easy365Manager, any junior admin can configure calendar permissions with practically no instructions needed:

Delegating tedious day-to-day operations to front-line support allows you to concentrate on more complex tasks as a back-end admin.

It’s probably safe to assume that your management would prefer you to apply your skillset to improve your infrastructure’s security and maturity – instead of scripting calendar permissions.