Beruflich Dokumente
Kultur Dokumente
Before we can jump into setting up GAL objects and policies, we need to grant
ourselves permissions to manage address lists in Office 365 (this permission is not
enabled by default). We also need to enable Address Book Policy Routing in Exchange
Online.
Also, and this is important, check to make sure that you have either an Enterprise (E)
or an Educational (A) Office 365 subscription level. Address book policy routing is
currently not supported on lower subscription levels and instructions in this article will
not work.
Step 1: Grant Permissions to Manage Address Lists
1.
2.
3.
4.
5.
B.
C.
D.
Note: the steps above grant you access to New-GlobalAddressList and NewAddressList commands that will be used later in this article. If you cannot see Address
List role, check your Office 365 subscription level and make sure that it is Enterprise or
Education level. Address List role does exist in Exchange Online but by default it is not
assigned to grant GAL/address book management permissions to anyone.
Step 2: Connect to Exchange Online PowerShell and Enable Address Book Policy
Routing
This step could be done on one of your ADFS farm servers that has Windows Azure
Active Directory PowerShell (WAAD Posh) installed. Launch WAAD as Administrator
(elevate if you have UAC enabled).
Set-ExecutionPolicy RemoteSigned
Import-PSSession $session
Get-TransportConfig | fl AddressBookPolicyRoutingEnabled
At this point lets go ahead and enable ABP routing in Exchange Online:
Group membership-based address lists and global address lists rely on MemberOf
attribute filtering. To perform the next series of steps, you need to be connected to
Exchange Online AND Office 365 tenant for some of the commands, so, continuing
from Step 2 above where we connected to Exchange Online, we will go ahead and link
up to MSOL service:
Connect-MsolService
Next we need to add the users we want to be separated from other ones to a
distribution group, and get the distinguished name of that distribution group. On this
example, we created a group named Test.Group:
If you care to see how this DN looks on the Microsoft side, type $dn and hit enter. Next,
create a new address list for resource mailboxes:
Pay special attention to apostrophes and double quotes. Next we are creating a new
address list of user mailboxes:
Lets create a new Global Address List and Offline Address book now:
Finally, we are going to tie these lists together into a single address book policy object:
All address book objects are now in place and the last remaining step is to actually
assign an address book policy to our user objects, which is what ultimately filters or
segments their GAL views. There is a variety of ways to perform this assignment. The
one provided here is by no means the only one or the most elegant one, but it works.
First, get the GUID of the Office 365 group that was used for address book filtering:
Get-MsolGroup
GUIDs will be displayed in the left column. Find the one opposite Test.Group that was
used in the example above.
You have to have Exchange Online and Office 365 connections in the same WAAD
PowerShell session for the next step. Substitute GUID with the actual GUID, you dont
need to use single or double quotes around the GUID for this to work.
Get-Mailbox -ResultSize unlimited | Where-Object {$_.ExternalDirectoryObjectId -in (GetMsolGroupMember -GroupObjectId GUID).objectid} | Set-Mailbox -AddressBookPolicy "Test.Abp"
This command grabs object IDs of all members of our test group, gets their associated
mailboxes, and pipes them into commandlet that assigns the new address book policy.
Its not the prettiest powershell command but it does the trick, and can be scheduled to
run periodically so that newly created users who have membership in the Test.Group
get the right GAL automatically.
To confirm that your assignment command worked successfully: