The question were raised a couple of times and I couldn’t find any related articles besides the official TechNet articles, so I decided to write one myself.
Some organizations have the need of separating people from seeing each other in the global address list (GAL), this is known as GAL segmentation and have been on the surface for a long time.
However, when it comes to do a segmentation in Office 365 and Exchange Online, it can be challenging and difficult, so I decided to write this article and provide an example of how this can be done.
Scenario – segmentation between school (students & teachers) and others (teachers, admin personnel and managers).
In detail the teachers and the students should be able finding each other in the address lists, while the administrators shouldn’t be able finding the students in their lists. However, administrators and teachers should be able to reach out through the address lists.
RBAC
By default the global administrator DON’T have access to manage the address lists, so either add the Address List Management permissions into the Organization Management role group or create a new role group with the role Address List Management and add the appropriate user into the group.
Attributes
One way of making sure the segmentation is working they way it is expected is to make it possible grouping the users using the extensionAttribute/CustomAttribute values in AD/Exchange.
These should be configured in the on-premise Active Directory (AD).
In this example all students and teachers has a value of “EDU” in their extensionAttribute15/CustomAttribute15, while the others have a value of “ADM” in their extensionAttribute14/CustomAttribute14 so they can easily be filtered.
With the attribute values in place, we need to configure address lists, global address list, offline address book, address book policy and finally apply it to the mailboxes.
This is done using PowerShell for Exchange Online running the following cmdlets..
Configuration for students and teachers
New-AddressList -Name "AL-EDU-Users-DGs" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq "MailUniversalDistributionGroup") -or (RecipientTypeDetails -eq "DynamicDistributionGroup")) -and (CustomAttribute15 -eq "EDU")} New-AddressList -Name "AL-EDU-Rooms" -RecipientFilter {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute15 -eq "EDU")} New-GlobalAddressList -Name "GAL-EDU" -RecipientFilter {(CustomAttribute15 -eq "EDU")} New-OfflineAddressBook -Name "OAB-EDU" -AddressLists "GAL-EDU" New-AddressBookPolicy -Name "ABP-EDU" -AddressLists "AL-EDU-Users-DGs","AL-EDU-Rooms" -OfflineAddressBook "\OAB-EDU" -GlobalAddressList "\GAL-EDU" -RoomList "\AL-EDU-Rooms" Get-Mailbox | Where {$_.CustomAttribute15 -eq "EDU"} | Set-Mailbox -AddressBookPolicy "ABP-EDU"
Configuration for administrator personnel, managers and teachers
New-AddressList -Name "AL-ADM-Users-DGs" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute14 -eq "ADM")} New-AddressList -Name "AL-ADM-Rooms" -RecipientFilter {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute14 -eq "ADM")} New-GlobalAddressList -Name "GAL-ADM" -RecipientFilter {(CustomAttribute14 -eq "ADM")} New-OfflineAddressBook -Name "OAB-ADM" -AddressLists "GAL-ADM" New-AddressBookPolicy -Name "ABP-ADM" -AddressLists "AL-ADM-Users-DGs","AL-ADM-Rooms" -OfflineAddressBook "\OAB-ADM" -GlobalAddressList "\GAL-ADM" -RoomList "\AL-ADM-Rooms" Get-Mailbox | Where {$_.CustomAttribute14 -eq "ADM"} | Set-Mailbox -AddressBookPolicy "ABP-ADM"
Configuration for teachers (“Everyone”)
The configuration for the teachers is a bit different since they should be able to see all users, in my example I do configure the policy to include all address lists, this can be configured so it matches your requirements.
New-AddressBookPolicy -Name "ABP-Teachers" -AddressLists "AL-ADM-Users-DGs","AL-ADM-Rooms","AL-EDU-Users-DGs","AL-EDU-Rooms","All Groups","All Contacts","All Distribution Lists","All Rooms","All Users" -OfflineAddressBook "\Default Offline Address Book" -GlobalAddressList "\Default Global Address List" -RoomList "\All Rooms" Get-Mailbox | Where {$_.CustomAttribute1 -eq “teachers”} | Set-Mailbox -AddressBookPolicy "ABP-Teachers"
Ps. In the example for applying the policy to teachers, I’ve filtered the users using extensionAttribute1/CustomAttribute1 with the value of “teachers”.
The final result is shown below..
Students – able to find students and teachers in GAL
Admins – able to find admins, managers and teachers in GAL
Managers – able to find admins, managers and teachers in GAL
Teachers – able to find everyone in GAL
I hope this gave a more clear picture of the configuration to you, feel free to comment or give any feedback!
More information:
http://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx
Usefull Thnx for that.
Hi,
I have a little question like that.
All our users use the default address book policy that means without any policy assigned to them.
Then, there are some external users (A,B,C,D ) that I need to create separate address book policy (A_ABP,B_ABP,C_ABP,D_ABP) for each other and I create custom address list for them as well as ABP need the address list, room list to it (A_AL,A_RL,….etc….right? )
It is fine. A,B,C,D finally can really see their address only but not all users in our organization. However, I found that the custom Address list can be seen by all users from their address book.
1. How can I hide those customer address list from the “default address book policy” ?
2. Is that possible to create Address book policy without use custom address list, room list but only GAL,OAB ??
Thank You
Aron
Hi, I need to apply the ABP every time I create new addresses, or there is a way to apply to new address automatically?
Thanks, JP
Hello!
Correctly I understand that with every new user I need to apply this AddressBookPolicy to him?