Segmenting the Global Address List in Multi-Domain Office 365 Tenants with Address Book Policies

For organizations managing diverse domains within a single Microsoft 365 tenant, a common requirement is to prevent users from one domain from viewing or accessing users in another through the Global Address List (GAL). This necessary segregation can be effectively achieved in Exchange Online using Address Book Policies (ABPs).

This guide will walk you through the process of configuring Address Book Policies to establish boundaries between users of two hypothetical domains: abc.com and xyz.com. The implementation involves several key stages: defining custom Address Lists, Room Lists, Offline Address Books (OABs), and Global Address Lists (GALs), and subsequently applying these policies to the respective user groups.

What are Address Book Policies (ABPs)?

Address Book Policies provide a mechanism to control the address lists (like the GAL, Room Lists, and OABs) that are visible to specific sets of users. By assigning an ABP to a user, you determine the scope of their address book view, ensuring, for instance, that users from abc.com only see other abc.com users and not those from xyz.com, and vice versa.

Essential Building Blocks of ABPs

  • Address Lists: These are filtered collections of recipients based on defined criteria, used to group specific users or resources.
  • Global Address List (GAL): This is the primary directory that users browse to find recipients. An ABP-defined GAL limits the entries a user can see.
  • Offline Address Book (OAB): A snapshot of the address lists that Outlook clients download for offline access. ABPs ensure the OAB reflects the user's permitted view.
  • Room Lists: Specific address lists containing meeting room mailboxes, also subject to ABP filtering.
  • Address Book Policy (ABP): The container object that binds together a specific GAL, OAB, and set of Address and Room Lists to define a user's address book experience.

Implementation Steps: Configuring ABPs

Follow these steps in Exchange Online PowerShell to set up address book segregation for your domains.

Step 1: Enable Address Book Policy Routing

Activating ABP routing is a prerequisite to ensure that the policies enforce separation and prevent users from bypassing them to see recipients outside their assigned address book.

Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

Step 2: Define Custom Address Lists

Create distinct address lists for each domain to filter recipients based on their email address domain.

New-AddressList -Name "ABC Domain Users AL" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (EmailAddress -like '*@abc.com'))}
New-AddressList -Name "XYZ Domain Users AL" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (EmailAddress -like '*@xyz.com'))}

(Note: You might want additional lists for contacts, groups, etc., depending on your needs.)

Step 3: Create Domain-Specific Room Lists

Ensure that room mailboxes are also segmented according to their domain.

New-AddressList -Name "ABC Domain Rooms AL" -RecipientFilter {(EmailAddress -like '*@abc.com') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')}
New-AddressList -Name "XYZ Domain Rooms AL" -RecipientFilter {(EmailAddress -like '*@xyz.com') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')}

Step 4: Generate Offline Address Books (OABs)

Create separate OABs for each domain, including the relevant address and room lists.

New-OfflineAddressBook -Name "ABC Domain OAB" -AddressLists "\ABC Domain Users AL", "\ABC Domain Rooms AL"
New-OfflineAddressBook -Name "XYZ Domain OAB" -AddressLists "\XYZ Domain Users AL", "\XYZ Domain Rooms AL"

Step 5: Configure Global Address Lists (GALs) for Each Domain

Define the specific GAL content that users in each domain will see.

New-GlobalAddressList -Name "ABC Domain GAL" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (EmailAddress -like '*@abc.com'))}
New-GlobalAddressList -Name "XYZ Domain GAL" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (EmailAddress -like '*@xyz.com'))}

(Note: A GAL typically includes more than just user mailboxes. Adjust the filter as needed to include contacts, groups, etc., that should be visible within that domain's GAL.)

Step 6: Construct Address Book Policies (ABPs)

Combine the created components into distinct ABPs for each domain.

New-AddressBookPolicy -Name "ABC Domain ABP" -AddressLists "\ABC Domain Users AL" -OfflineAddressBook "\ABC Domain OAB" -GlobalAddressList "\ABC Domain GAL" -RoomList "\ABC Domain Rooms AL"
New-AddressBookPolicy -Name "XYZ Domain ABP" -AddressLists "\XYZ Domain Users AL" -OfflineAddressBook "\XYZ Domain OAB" -GlobalAddressList "\XYZ Domain GAL" -RoomList "\XYZ Domain Rooms AL"

(Ensure the AddressLists parameter includes ALL address lists you want visible to users assigned this ABP, not just the main user list).

Step 7: Assign ABPs to Users

Apply the newly created ABPs to the respective users in each domain.

$abcUsers = Get-Mailbox -Filter {EmailAddress -like '*@abc.com'}
$xyzUsers = Get-Mailbox -Filter {EmailAddress -like '*@xyz.com'}

foreach ($user in $abcUsers) {
    Set-Mailbox -Identity $user.Identity -AddressBookPolicy "ABC Domain ABP"
}

foreach ($user in $xyzUsers) {
    Set-Mailbox -Identity $user.Identity -AddressBookPolicy "XYZ Domain ABP"
}

Important Note: The cmdlets used for managing address lists and ABPs are part of the "Address Lists" management role. By default, this role may not be assigned to your administrative role group (like "Organization Management"). You might need to add the "Address Lists" role to your group to execute these commands.

Advantages of Implementing ABPs

  • Enhanced Privacy: Limits the visibility of internal contact information to only relevant users within their domain.
  • Streamlined User Experience: Reduces clutter and potential confusion in address lists by displaying only necessary contacts.
  • Improved Data Segregation: Helps in maintaining logical boundaries and can contribute to compliance requirements.
  • Scalability: Provides a structured method for managing address lists as your organization grows and incorporates more domains.

Limitations and Considerations

  • Scope is Limited to Exchange: ABPs primarily impact address lists within Exchange Online (Outlook, OWA). They do not restrict user discovery or collaboration features in other Microsoft 365 services like Teams, SharePoint, or OneDrive.
  • Propagation Delays: Changes to ABPs can take a significant amount of time (potentially several hours) to fully apply and become visible to users.
  • For Stricter Segregation, Consider Information Barriers: If compliance or strict organizational policies demand preventing communication and collaboration between specific groups of users across services (beyond just address list visibility), Microsoft Information Barriers (IBs) offer a more comprehensive solution.

Conclusion

Leveraging Address Book Policies in Exchange Online is a powerful method for organizations operating with multiple domains under a single tenant to effectively segment their Global Address Lists. By following the steps outlined in this guide, businesses can establish clear boundaries for user visibility, thereby improving privacy, simplifying communication, and supporting their administrative and compliance objectives within Microsoft 365.

Comments

Post a Comment

Popular posts from this blog

Unveiling Primary Mailbox Statistics

Keep your Microsoft Exchange environment running smoothly with these simple PowerShell commands. Primary Mailbox Insights Want to know how much space primary mailboxes are using? This single command gives you a clear picture of storage status, item count, and total size: PowerShell Command Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | Select DisplayName, StorageLimitStatus , @{ Name = " TotalItemSize (MB) "; Expression = { [math]::Round(($_.TotalItemSize.ToString().Split("(")[1].Split(" ")[0].Replace(",", "") / 1MB), 2) }}, ItemCount | Sort " TotalItemSize (MB) " -Descending | Export-CSV " C:\temp\All Mailboxes.csv " -NoTypeInformation This command does all the heavy lifting: It fetches all user mailboxes fast. It gathers essential stats like size and item count. It converts sizes to MB for easy reading. It sorts mailboxes from largest to sma...
Read more

Manage DL Members in OWA Without Allowing DL Creation – A Practical Solution

Today, I'd like to share a real-world workaround that solves a common issue in Microsoft 365: giving users the ability to manage Distribution List (DL) members through Outlook on the Web (OWA) without giving them permission to create or delete DLs. This is a frequent request for organizations focused on strict governance and efficient delegation. The Challenge A client recently encountered a problem where a user was unable to manage Distribution Group (DG) members via OWA. After some investigation, we discovered that the MyDistributionGroups role was not included in their role assignment policy. While enabling this role would solve the immediate issue, it comes with a significant drawback: it also grants the user the ability to create and delete DLs. For organizations with strict governance policies or those that prefer centralized DL creation, this isn't an ideal scenario. The Goal Our objective was clear: Allow users to manage existing Dist...
Read more

PowerShell Basics for Office 365 Administration (Episode 3)

At its core, PowerShell is designed around the concept of objects. Unlike traditional command-line interfaces that often work with text streams, PowerShell processes structured data in the form of objects. Understanding how objects, properties, and methods function, how variables store and manage this data, and how the pipeline enables seamless command chaining is fundamental to effective Office 365 administration. Understanding Objects, Properties, and Methods In the world of PowerShell, virtually everything you interact with is an object. An object is a structured data entity representing specific items, whether it's a user account, a mailbox, a group, or a system service. These objects possess two primary characteristics: Properties: These are the attributes or characteristics that describe the object. For example, a mailbox object might have properties like DisplayName , EmailAddresses , or RecipientTypeDetails . Methods: These represent the actions or functions that the ob...
Read more