HiddenFromAddressListsEnabled cant be performed

If you are one of the lucky ones who did not have Azure AD Sync enabled and have had two parallell solutions i.e. one online Azure AD tenant and an on-prem AD DS environment, chances are high that you would run or already have run into this issue
with having to update information on-prem as your directory is being synchronized with AAD. This applies also in the most bizarre scenarios, for example if you
want to hide a mailbox from global address list, the values must be set locally on the user object in attribute editor otherwise you get this beautiful error while trying to hide a mailbox in Exchange online

HiddenFromAddressListsEnabled failure
HiddenFromAddressListsEnabled failure

The specific values that must be set are mailnickname (string) and msExchHideFromAddressLists (booloan). Why these both must be set is a tale in itself which is related to how an Exchange organization works, however, just know that in order to hide mailboxes from appearing in global address list in Exchange online, both of these must be set. If you never had Exchange on premise, or had Exchange but in a different
AD forest, chances are you are lacking/missing these attributes in AD DS as your AD DS schema would not have been extended to include these. So you are thinking, well this is not a problem, lets just update/extend the schema and we will have what we need in place within 5 minutes. Well that is not going to happen, may be in a test environment, however in a production environment you will face some hurdles. If you do not have the extended schema an object will show the following attirbutes

HiddenFromAddressListsEnabled lacking attribute
HiddenFromAddressListsEnabled lacking attribute

As you can see its only three exchange related attributes that are available which are msExchAssistantName, msExchHouseIdentifier and msExchLabeledURI. Now lets explore the hurdles that were met at least by me during this journey, ones after the other and how they were coped with….

Locating Exchange media

Strange as it seems but this turned out to be a time consuming and unnecessary problem. The customer did not have any Exchange licences, hence the installation media was not available under Volume licencing portal. At last however, Exchange 2013 media was found and utilized to extend schema. However, that too presented some challenges as you can see. To start off, schema had to be extended on the schema master domain controller. Prior to that, the account being utilized must be added to schema admin role, and we had to log off and then back on in order to make the membership count or visible! During the first rund following error was encountered

Exchange online schema extension error
Exchange online schema extension error

One reboot later, and after double checking that dot net 4.7.2 was already present on this Windows 2016 machine as being indicated by the set up file

Dot net 4.7.2 Error on Windows server 2016
Dot net 4.7.2 Error on Windows server 2016

If you too get the previous error about not being able to locate the right version of dot net, try running the dot net online installer insted of offline installer as it detects the presence of correct version of dot net prior to trying to download or install anything. After this was done the schema extension went through without causing any further problems.

Exchange online schema extension details
Exchange schema extension details

It turns out that even though you cannot get hold of Exchange installation media from Microsoft download center directly, it can be downloaded as a CU (cumulative update), which normally includes the full installation files. I am provided a link at the bottom of this page that you can use to download the media.

Setting mailnickname and HiddenFromAddressListsEnabled

We started to test first with one user before deploying the solution to the masses! This was done using users and computer Microsoft management console.

HiddenFromAddressListsEnabled attribute
HiddenFromAddressListsEnabled attribute

To hide the account in question this Exchange attribute was set to true.

Exchange online mailnickname attribute
mailnickname attribute

This next piece in the puzzle was to update the mailnickname attribute. This should ideally be set as the same as mailbox primary address as it would be unique within the Exchange organization. In normal circumstances this value is calculated when the UPN of an AAD object is changed. When enabling Azure AD systematization you will most probably also update the UPN, specially in a disjoint namespace scenario as I have previously described in my blog post https://zeglory.com/configure-azure-ad-connect/ when this happens and in addition you start getting attributes from on-prem environment that do not have values defined, you start to run into problems. So to make life easier, be on the safe side and set the value for all users in your AD DS environment. Not interested in manually editing hundreds or thousands of users? No problem, use Powershell to do the job for you, as we did.

Mailnickname setup using Powershell script
Mailnickname setup using Powershell script

This Powershell script should be adjusted to your environment, as you can see, there is only one commandlet set-ADUser which is actually doing the work, the rest is only showing values that already are present in AD DS. The Powershell script contents as text are

$Users = Get-ADUser -Filter * -SearchBase "OU=AAD-Sync,OU=Users, DC=INTRA,DC=Zeglory,DC=COM" -Properties UserPrincipalName,Manager,mailnickname,mail

$creds = Get-Credential -Message "Select username" -UserName "domain\administrator"
foreach($User in $Users)
{
    $mailAddress = $User.mail
    if ($mailAddress -notmatch " " -and $mailAddress -ne $null)
       {
                #Create and add mailnickname for all users
                $mailnickname = $mailAddress.Split("@")
                $mailnickname = $mailnickname[0]

                #Write-Host "Id:"$User.SamAccountName "Leder:"$User.Manager "Department:"$User.Department "PrivatEpost:"$User.Info
                #write-host "mail adresse:" $User.mail "mailnickname:" $User.mailnickname  -ForegroundColor Green
                #Write-Host "Value to be set for mailnickname:" $mailnickname -ForegroundColor Red
                Set-ADUser -Identity $User.SamAccountName -Replace @{MailNickName ="$mailnickname"} -Credential $creds
 

        }

}

Perform Azure AD Connect Schema refresh

After the attributes mailnickname and HiddenFromAddressListsEnabled have been updated for the first user, Azure AD Connect schema must be refreshed so that these attributes are now synchronized with AAD.

Azure AD connect refresh schema
Azure AD connect refresh schema

Now when you want to hide a user from Exchange online global address list, just set HiddenFromAddressListsEnabled locally in your AD DS as false and during the sync process the address will be hidden.

Resources

In order to download the dot net installation files you can use the following link

https://www.microsoft.com/en-us/download/details.aspx?id=55167

And to download Exchange 2016 CU 16 to use setup to extend your AD DS schema use the following URL https://www.microsoft.com/en-us/download/confirmation.aspx?id=101060

Hopefully this post will help someone out there by either guiding through the steps or just saving some time by reusing Powershell script. In case of question or comments feel free to post them, as always I will respond hopefully in a timely fashion.

Leave a Reply

Your email address will not be published. Required fields are marked *