Home / server / Questions / 1143728
Accepted
HackSlash
Asked: 2023-09-15 01:22:54 +0800 CST

How to Remove Disabled AD Users from GAL in Exchange Online (M365) REST API

  • 772

There are many old questions related to this targeting Exchange 2010 on premises. If you're using Exchange Online in Azure, things have changed. Now you will need the new REST API remote PowerShell commands to manage Exchange. Accessing the properties on these objects is very different.

I can't find the account enabled property anymore and while there are Get-EXO* methods I don't see the corresponding Set-EXO* commands. The documentation doesn't talk about how to set properties on mailboxes, only to look at them. That can't be right.

I do see the HiddenFromAddressListsEnabled property but I can't change it.

BACKGROUND:

We generally disable accounts when people leave but we want to keep their mailbox. At the same time, we don't want that mailbox to be visible in the GAL. This will lower the chance of someone sending email to a person that doesn't exist.

QUESTION:

  1. How do I remove all currently disabled users from the GAL?
  2. How do I automatically remove users from the GAL in the future, as part of the account turn down process?

Can both be accomplished by a single method?

exchangeonline

1 Answers

  1. Best Answer

    When you use directory synchronization, almost all user attributes can't be directly edited in Azure AD: you need to modify them on the AD user objects and then ADConnect will synchronize them to the matching Azure AD users.

    This also applies to Exchange, which is heavily based on AD; you need to manipulate Exchange-related attributes on on-premises users, and then ADConnect will take care of synchronizing them to Azure AD and Exchange Online.

    In a standard hybrid Exchange environment, you would have an on-premises Exchange server and each user would have a Remote Mailbox; this would allow you to use on-premises Exchange to edit the settings of the remote mailboxes, such as making them hidden from address lists; however, if you don't actually have a hybrid Exchange server, you'll need to manually edit AD attributes in Active Directory; in this case, you should edit the msExchHideFromAddressLists attribute to achieve the desired result.

    Note: if you never had Exchange on-premises, you will not find the attribute in your AD users; in this case, you should use the Exchange setup to run the preparation steps (without actually installing Exchange); this will extend the Active Directory schema to include Exchange-related attributes, which then you will be able to edit.

    • 0