1Introduction

This document will provide the step by step procedureto create different addressbook policies for different departments of the organization so that the users can only see the recipients that belong to their department.

By default, everyone can see everyone who has SMTP address in the organization’s global address list.

Restrict the access to global address list based on domains. So if we have two domains. Abc.com and xyz.com, Abc.com users should only see users of abc.com and xyz.com should only see users of xyz.com.

GAL segregation (Global address list (GAL) segmentation (also known as GAL segregation) is the process whereby administrators can segment users into specific populations to provide customized views of their organization’s GAL. Address book policies (ABPs) allow you to segment users into specific groups to provide customized views of your organization’s global address list (GAL). When creating an ABP, you assign a GAL, an offline address book (OAB), a room list, and one or more address lists to the policy. You can then assign the ABP to mailbox users, providing them with access to a customized GAL in Outlook and Outlook Web App)

2Configure Prerequisites

Before starting GAL segmentation, we need to grant the admin who will be completing this activity necessary permissions to manage address lists in Office 365 (this permission is not enabled by default). We also need to enable Address Book Policy Routing in Exchange Online.

1)We can create a separate role group and add addresslist management role and then add the admin as a member to this role.

2.1Grant Permissions to Manage Address Lists

Log into portal.microsoftonline.com using a global administrator Office 365 account

In the top menu bar, click on Admin and then Exchange

You are now in Exchange Admin Center, EAC

On the left, click Permissions

Click on the plus sign to add a new Role Group

Name: Address List Management

Roles: add “Address List” role

Members: add your global admin account as a member

Save the role group

Note: The steps above grant you access to “New-GlobalAddressList” and “New-AddressList”

Address book policy (ABP) routing controls how users in one virtual organization view the users of a different virtual organization. Your virtual organization is determined by the global address list (GAL) you reside in. When ABP routing is turned on, users that are assigned to different GALs appear as external recipients and won’t be able to view external recipients’ contact cards.

Run Get-TransportConfig cmdlet to confirm that address book policy routing shows as enabled. If not then use the below mentioned command and enable the same.

Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

2.2Segregate Users

1)To do so I will be using the custom attribute1.

Resources that belong to domain abc.com will be stamped with the custom attribute ABC and Resources that belong to xyz.com will be stamped with XYZ.

We have to create a Separate Address book policy for both domain users. Where each domain users will be assigned with their own Address book policy.

Before creating an Address Book Policy, we need to do four tasks for each domain to segregate them using Address Book Policies

Below is what we will be doing.

1) Create separate Resource Lists for abc.com and xyz.com users.

2) Create separate Address Lists for abc.com and xyz.com users.

3) Create separate global address book for abc.com and xyz.com users.

4) Create an Offline Address Book for abc.com and xyz.com users.

I will have to segregate all the recipient types accordingly based on who should see whom we should add the custom attribute as ABC or XYZ accordingly.

I have two users and . Since I do not have a custom domain suppose Kaism belongs to domain abc.com and Sachin belongs to xyz.com. I will add ABC as customer attribute for Kasim and XYZ as custom attribute to Sachin.

For Kasim

set-mailbox kasim -CustomAttribute1 ABC

For Sachin

set-mailbox Sachin -CustomAttribute1 XYZ

I have two Distribution groups, and I have stamped the custom attribute for these two groups as well accordingly.

For

Set-DistributionGroupabc -CustomAttribute1 ABC

For

Set-DistributionGroup XYZ -CustomAttribute1 XYZ

I have two room mailboxes and . I have stamped the custom attribute for these two room mailboxes as well accordingly.

For

Set-Mailbox abcroom -CustomAttribute1 ABC

For

Set-Mailbox xyzroom -CustomAttribute1 XYZ

3Deploying GAL segregation

I will start creating a separate Resource Lists for abc.com and xyz.com users, a separate Address Lists for abc.com and xyz.com users, a separate global address book for abc.com and xyz.com users and an Offline Address Book for abc.com and xyz.com users.

1)Create a Resource List for abc.com and xyz.com users

Resource list for ABC.com users

New-AddressList -Name "ABC Rooms" -RecipientFilter {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute1 -eq "ABC")} -DisplayName “ABC Rooms”

Name DisplayName RecipientFilter

------

ABC Rooms ABC Rooms ((((Alias -ne $null) -and (((RecipientDisplayType -eq 'ConferenceRoomMailbox')...

Resource list for XYZ.com users

New-AddressList -Name "XYZ Rooms" -RecipientFilter {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute1 -eq "XYZ")} -DisplayName “XYZ Rooms”

Name DisplayName RecipientFilter

------

XYZ Rooms XYZ Rooms ((((Alias -ne $null) -and (((RecipientDisplayType -eq 'ConferenceRoomMailbox')...

2)Create addresslist List for abc.com and xyz.com users

Addresslist for ABC.com users

New-AddressList -Name "ABC Address List" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq "MailUniversalDistributionGroup") -or (RecipientTypeDetails -eq "DynamicDistributionGroup")) -and (CustomAttribute1 -eq "ABC")} –DisplayName “ABC AddressList”

Name DisplayName RecipientFilter

------

ABC Address List ABC AddressList ((((((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq 'M...

Addresslist for XYZ.com users.

New-AddressList -Name "XYZ Address List" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq "MailUniversalDistributionGroup") -or (RecipientTypeDetails -eq "DynamicDistributionGroup")) -and (CustomAttribute1 -eq "XYZ")} –DisplayName “XYZ AddressList”

Name DisplayName RecipientFilter

------

XYZ Address List XYZ AddressList ((((((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq 'M...

3)Create global address book for abc.com and xyz.com users.

GAL for abc.com users

New-GlobalAddressList -Name "ABC Global AddressList" -RecipientFilter {(CustomAttribute1 -eq "ABC")}

Name RecipientFilter

------

ABC Global AddressList CustomAttribute1 -eq 'ABC'

GAL for XYZ.com users

New-GlobalAddressList -Name "XYZ Global AddressList" -RecipientFilter {(CustomAttribute1 -eq "XYZ")}

Name RecipientFilter

------

XYZ Global AddressList CustomAttribute1 -eq 'XYZ'

4)Create an Offline Address Book for abc.com and xyz.com users

OAB for abc.com users

New-OfflineAddressBook -name “ABC-OAB” -AddressLists "ABC Global AddressList"

OAB for xyz.com users

New-OfflineAddressBook -name “XYZ-OAB” -AddressLists "XYZ Global AddressList"

We are done creating the resource list, addresslist, global addresslist, offline addressbook for both the domains. Now we have to create two addressbook policies and assign them to users accordingly.

1)Separate Address Book Policies for abc.com and xyz.com users.

Address book policy for abc.com users

New-AddressBookPolicy -name “ABC-ABP” -AddressLists “ABC Address List” -OfflineAddressBook “ABC-OAB” -GlobalAddressList “ABC Global AddressList” -RoomList "ABC Rooms"

Name GlobalAddressList AddressLists OfflineAddressBookRoomList

------

ABC-ABP \ABC Global AddressList {\ABC Address List} \ABC-OAB \ABC Rooms

Address book policy for XYZ.com users

New-AddressBookPolicy -name “XYZ-ABP” -AddressLists “XYZ Address List” -OfflineAddressBook “XYZ-OAB” -GlobalAddressList “XYZ Global AddressList” -RoomList “XYZ Rooms"

Name GlobalAddressList AddressLists OfflineAddressBookRoomList

------

XYZ-ABP \XYZ Global AddressList {\XYZ Address List} \XYZ-OAB \XYZ Rooms

2)Assign the address book policy to abc.com and xyz.com users

Assign address book policy ABC-ABP for all the abc.com users. (Custom attribute stamped with ABC).

Get-Mailbox -resultsize unlimited | where {$_.CustomAttribute1 -eq "ABC"} | Set-Mailbox -AddressBookPolicy “ABC-ABP”

Assign address book policy XYZ-ABP for all the xyz.com users. (Custom attribute stamped with XYZ).

Get-Mailbox -resultsize unlimited | where {$_.CustomAttribute1 -eq "XYZ"} | Set-Mailbox -AddressBookPolicy “XYZ-ABP”

4Testing

When I login as I should see only recipients that have custom attribute set to ABC and when I login with I should see only recipients that have custom attribute set to XYZ. e.g.., Kasim should see and distribution group , should see and distribution group .

1)When I login as

2)When I login as

What happens when new recipients are added in the organization?

I have created another recipient and added the custom attribute XYZ to him. Sachin should now see Akash as well.

5Conclusion

Gal segregation can be achieved by segregating the recipients first but specifying a custom attribute. Once the recipients are identified we need to create separate address list, GAL, OAB, Rooms for respective recipients and then create address book polices and assign them accordingly to respective segment.

Ongoing task

  • When a recipient is added with domain abc.com we need to provision the recipient with custom attribute ABC
  • When a recipient is added with domain xyz.com we need to provision the recipient with custom attribute XYZ

6Rollback Plan

Remove the addressbook policy from abc.com and xyz.com users.

Set custom attribute to Null.

Delete address book polices and all the address lists created for this purpose.