GAL Segmentation in Office 365

This next post is going to talk in detail about GAL segmentation setup in Office 365. The original idea was borrowed from this Microsoft blog post, but since not all of the steps were covered there in sufficient detail, I am expanding them here, and adding two specific examples: how to segment GAL based on distribution lists membership, and how to segment GAL based on Office attribute.

What is GAL Segmentation

GAL segmentation allows one to create an appearance of hosting multiple independent email organizations within the same Office 365 tenant. Administrators can create multiple address books and global address lists and filter them to only the specific contacts/mailboxes/groups. This makes it possible to lock down any given user to viewing contact details only of the employees they are supposed to see, creating an impression that the user is in a different Exchange / Office 365 organization.

GAL segmentation isn’t necessarily a new concept. It was possible to do this in on-prem Exchange 2010, Exchange 2007, and even as far back as Exchange 2003. But it is a somewhat new concept in Exchange Online and Office 365, and there isn’t a great deal of information on it out there yet.

Configure Prerequisites

Before we can jump into setting up GAL objects and policies, we need to grant ourselves permissions to manage address lists in Office 365 (this permission is not enabled by default). We also need to enable Address Book Policy Routing in Exchange Online.

Also, and this is important, check to make sure that you have either an Enterprise (E) or an Educational (A) Office 365 subscription level. Address book policy routing is currently not supported on lower subscription levels and instructions in this article will not work.

Step 1: Grant Permissions to Manage Address Lists

  1. Log into portal.microsoftonline.com using a global administrator Office 365 account
  2. In the top menu bar, click on Admin and then Exchange 
  3. You are now in Exchange Admin Center, EAC
  4. On the left, click Permissions
  5. Click on the plus sign to add a new Role Group
    1. Name: Address List Management
    2. Roles: add “Address List” role
    3. Members: add your global admin account as a member
    4. Save the role group

Note: the steps above grant you access to “New-GlobalAddressList” and “New-AddressList” commands that will be used later in this article. If you cannot see “Address List” role, check your Office 365 subscription level and make sure that it is Enterprise or Education level. Address List role does exist in Exchange Online but by default it is not assigned to grant GAL/address book management permissions to anyone.

Step 2: Connect to Exchange Online PowerShell and Enable Address Book Policy Routing

This step could be done on one of your ADFS farm servers that has Windows Azure Active Directory PowerShell (WAAD Posh) installed. Launch WAAD as Administrator (elevate if you have UAC enabled).

Set-ExecutionPolicy RemoteSigned

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential (Get-Credential) -Authentication basic -AllowRedirection

Import-PSSession $session

This connects you to Exchange Online powershell session.

To view the current ABP routing setting:

Get-TransportConfig | fl AddressBookPolicyRoutingEnabled

At this point let’s go ahead and enable ABP routing in Exchange Online:

Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

Re-run Get-TransportConfig commandlet to confirm that address book policy routing now shows as enabled.

Note: if you get an error stating that Enable-OrganizationCustomization commandlet has not been run, execute it (without any parameters) and give it half an hour before reconnecting to Exchange Online and trying ABP routing operation again.

Configure GAL Segmentation Based on Group Membership

Group membership-based address lists and global address lists rely on MemberOf attribute filtering. To perform the next series of steps, you need to be connected to Exchange Online AND Office 365 tenant for some of the commands, so, continuing from Step 2 above where we connected to Exchange Online, we will go ahead and link up to MSOL service:

Connect-MsolService

Next we need to get the distinguished name of the distribution list that is replicated from our on-prem Active Directory using Office 365 Dirsync:

$dn = (Get-DistributionGroup Test.Group).distinguishedName

If you care to see how this DN looks on the Microsoft side, type $dn and hit enter. Next, create a new address list for resource mailboxes:

New-AddressList -Name "Test.Resources" -RecipientFilter "RecipientDisplayType -eq 'ConferenceRoomMailbox' -and memberOfGroup -eq '$dn'"

Pay special attention to apostrophes and double quotes. Next we are creating a new address list  of user mailboxes:

New-AddressList -Name "Test.Mailboxes" -RecipientFilter "RecipientType -eq 'UserMailbox' -and memberOfGroup -eq '$dn'" -DisplayName "Test Mailboxes List"

Let’s create a new Global Address List and Offline Address book now:

New-GlobalAddressList -Name "Test.Gal" -RecipientFilter "MemberOfGroup -eq '$dn'"
New-OfflineAddressBook -Name "Test.Oab" -AddressLists "Test.Gal"

Finally, we are going to tie these lists together into a single address book policy object:

New-AddressBookPolicy -Name "Test.Abp" -AddressLists "Test.Mailboxes" -OfflineAddressBook "\Test.Oab" -GlobalAddressList "\Test.Gal" -RoomList "\Test.Resources"

All address book objects are now in place and the last remaining step is to actually assign an address book policy to our user objects, which is what ultimately “filters” or segments their GAL views. There is a variety of ways to perform this assignment. The one provided here is by no means the only one or the most elegant one, but it works. First, get the guid of the Office 365 group that was used for address book filtering:

Get-MsolGroup

Guids will be displayed in the left column. Find the one opposite “Test.Group” that was used in the example above.

You have to have Exchange Online and Office 365 connections in the same WAAD PowerShell session for the next step. Substitute “GUID” with the actual GUID, you don’t need to use single or double quotes around the GUID for this to work.

Get-Mailbox -ResultSize unlimited | Where-Object {$_.ExternalDirectoryObjectId -in (Get-MsolGroupMember -GroupObjectId GUID).objectid} | Set-Mailbox -AddressBookPolicy "Test.Abp"

This command grabs object IDs of all members of our test group, gets their associated mailboxes, and pipes them into commandlet that assigns the new address book policy. It’s not the prettiest powershell command but it does the trick, and can be scheduled to run periodically so that newly created users who have membership in the Test.Group get the right GAL automatically.

To confirm that your assignment command worked successfully:

Get-Mailbox | fl displayName, AddressBookPolicy

Configure GAL Segmentation Based on Office Attribute

Office attribute in on-prem Active Directory maps to physicalDeliveryOfficeName in Exchange Online. The approach is the same as above: we need to create 1) resource address list, 2) mailbox address list, 3) GAL 4) offline address book based on GAL, then 5) create a new address book policy combining the 4 elements above, and finally 6) assign the new address book policy to mailboxes, which in this case have a certain string in the “Office” attribute.

This next batch of commands requires only Exchange Online powershell session (see step 2 above).

New-AddressList -Name "AL_Flexecom_Rooms" -RecipientFilter "RecipientDisplayType -eq 'ConferenceRoomMailbox' -and Office -eq 'Toronto'"
New-AddressList -Name "AL_Flexecom" -RecipientFilter "RecipientType -eq 'UserMailbox' -and Office -eq 'Toronto'" -DisplayName "Flexecom Toronto Address List"
New-GlobalAddressList -Name "GAL_Flexecom" -RecipientFilter "Office -eq 'Toronto'"
New-OfflineAddressBook -Name "OAB_Flexecom" -AddressLists "GAL_Flexecom"
New-AddressBookPolicy -Name "ABP_Flexecom" -AddressLists "AL_Flexecom" -OfflineAddressBook "\OAB_Flexecom" -GlobalAddressList "\GAL_Flexecom" -RoomList "\AL_Flexecom_Rooms"

For the next command we have to have a connection to both, Exchange Online powershell as well as MSOL / Office 365.

Get-Mailbox -ResultSize unlimited | Where-Object {$_.ExternalDirectoryObjectId -in (Get-MsolUser | Where-Object {$_.office -eq 'Flexecom'}).objectid} | Set-Mailbox -AddressBookPolicy "ABP_Flexecom"

This last command gets objectIDs of all user objects from Office 365 directory where Office attribute is set to “Flexecom”, then uses this objectID list to query Exchange Online mailboxes where ExternalDirectoryObjectID attribute matches one of the objectIDs from Office 365, then finally pipes the mailboxes into a commandlet that performs address book assignments.

This may look hairy… but it really isn’t all that complicated once you do it one or two times, and it does work great!

 

Leave a Reply to Dennis Suhanovs Cancel reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>