-
Title
Using msExchHideFromAddressLists when leveraging Azure Group-based Licensing -
Description
Azure Group-based licensing is an optional configuration which be be done on the Microsoft side. For more information, see this Microsoft resource.
When objects are Deprovisioned in Active Roles, the Deprovision operation includes removal from on-prem Active Directory groups. If these groups include the ones enabled for Azure Group-based licensing, AADConnect will no longer replicate any changes made from on-prem Microsoft Exchange objects to Exchange Online.
This includes the msExchHideFromAddressLists flag, which is commonly set during a Deprovision operation.
So, although an Active Roles operation sets the value of msExchHideFromAddressLists to TRUE in Microsoft Exchange on-prem, the value for msExchHideFromAddressLists in Exchange Online is never updated and the object is never hidden from the Exchange Online GAL.
-
Cause
This is expected functionality and needs to be addressed by Microsoft. As soon as an object is removed from the on-prem Active Directory Group which is used for Azure Group-Based licensing, AADConnect will no longer replicate any attributes to Exchange Online. -
Resolution
WORKAROUND
As a workaround, change the Deprovisioning policy so that Azure Group-based licensing groups are retained, and then configure an Automation Workflow in Active Roles to remove the object from these groups after at least one day has passed. This Automation Workflow would be almost identical to the one described here.