The question were raised a couple of times and I couldn’t find any related articles besides the official TechNet articles, so I decided to write one myself.

Some organizations have the need of separating people from seeing each other in the global address list (GAL), this is known as GAL segmentation and have been on the surface for a long time.

However, when it comes to do a segmentation in Office 365 and Exchange Online, it can be challenging and difficult, so I decided to write this article and provide an example of how this can be done.

 

Scenario – segmentation between school (students & teachers) and others (teachers, admin personnel and managers).

In detail the teachers and the students should be able finding each other in the address lists, while the administrators shouldn’t be able finding the students in their lists. However, administrators and teachers should be able to reach out through the address lists.

 

ABP

 

RBAC

By default the global administrator DON’T have access to manage the address lists, so either add the Address List Management permissions into the Organization Management role group or create a new role group with the role Address List Management and add the appropriate user into the group.

 

Attributes

One way of making sure the segmentation is working they way it is expected is to make it possible grouping the users using the extensionAttribute/CustomAttribute values in AD/Exchange.
These should be configured in the on-premise Active Directory (AD).

In this example all students and teachers has a value of “EDU” in their extensionAttribute15/CustomAttribute15, while the others have a value of “ADM” in their extensionAttribute14/CustomAttribute14 so they can easily be filtered.

With the attribute values in place, we need to configure address lists, global address list, offline address book, address book policy and finally apply it to the mailboxes.

This is done using PowerShell for Exchange Online running the following cmdlets..

 

Configuration for students and teachers


New-AddressList -Name "AL-EDU-Users-DGs" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq "MailUniversalDistributionGroup") -or (RecipientTypeDetails -eq "DynamicDistributionGroup")) -and (CustomAttribute15 -eq "EDU")}

New-AddressList -Name "AL-EDU-Rooms" -RecipientFilter {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute15 -eq "EDU")}

New-GlobalAddressList -Name "GAL-EDU" -RecipientFilter {(CustomAttribute15 -eq "EDU")}

New-OfflineAddressBook -Name "OAB-EDU" -AddressLists "GAL-EDU"

New-AddressBookPolicy -Name "ABP-EDU" -AddressLists "AL-EDU-Users-DGs","AL-EDU-Rooms" -OfflineAddressBook "\OAB-EDU" -GlobalAddressList "\GAL-EDU" -RoomList "\AL-EDU-Rooms"

Get-Mailbox | Where {$_.CustomAttribute15 -eq "EDU"} | Set-Mailbox -AddressBookPolicy "ABP-EDU"

 

Configuration for administrator personnel, managers and teachers


New-AddressList -Name "AL-ADM-Users-DGs" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute14 -eq "ADM")}

New-AddressList -Name "AL-ADM-Rooms" -RecipientFilter  {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute14 -eq "ADM")}

New-GlobalAddressList -Name "GAL-ADM" -RecipientFilter {(CustomAttribute14 -eq "ADM")}

New-OfflineAddressBook -Name "OAB-ADM" -AddressLists "GAL-ADM"

New-AddressBookPolicy -Name "ABP-ADM" -AddressLists "AL-ADM-Users-DGs","AL-ADM-Rooms" -OfflineAddressBook "\OAB-ADM" -GlobalAddressList "\GAL-ADM" -RoomList "\AL-ADM-Rooms"

Get-Mailbox | Where {$_.CustomAttribute14 -eq "ADM"}  | Set-Mailbox -AddressBookPolicy "ABP-ADM"

 

Configuration for teachers (“Everyone”)

The configuration for the teachers is a bit different since they should be able to see all users, in my example I do configure the policy to include all address lists, this can be configured so it matches your requirements.


New-AddressBookPolicy -Name "ABP-Teachers" -AddressLists "AL-ADM-Users-DGs","AL-ADM-Rooms","AL-EDU-Users-DGs","AL-EDU-Rooms","All Groups","All Contacts","All Distribution Lists","All Rooms","All Users" -OfflineAddressBook "\Default Offline Address Book" -GlobalAddressList "\Default Global Address List" -RoomList "\All Rooms"

Get-Mailbox | Where {$_.CustomAttribute1 -eq “teachers”} | Set-Mailbox -AddressBookPolicy "ABP-Teachers"

 

Ps. In the example for applying the policy to teachers, I’ve filtered the users using extensionAttribute1/CustomAttribute1 with the value of “teachers”.

 

The final result is shown below..

Students – able to find students and teachers in GAL

2014-09-30 13-51-27

Admins – able to find admins, managers and teachers in GAL

2014-09-30 13-53-06

Managers – able to find admins, managers and teachers in GAL

2014-09-30 13-54-05

Teachers – able to find everyone in GAL

2014-09-30 14-00-11

 

I hope this gave a more clear picture of the configuration to you, feel free to comment or give any feedback!

 

More information:

http://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx