feok4 (feok4) asked a question.
Hide from GAL/Remove user
Hi all. How are O365 customers, without an on-prem exchange server or the Exchage attributes in AD, handling hiding departed emplyees from the GAL? When we try to hide a user from the address list, we receive an error: The operation on mailbox "user.name_36dc2c04ca" failed because it's out of the current user's write scope. The action 'Set-Mailbox', 'HiddenFromAddressListsEnabled', can't be performed on the object 'user.name_36dc2c04ca' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization. Has anyone else come across this? If so, what is the resolution? I have a case with Okta opened but i'm curiouse to see what other folks are doing.
Hi Jeff,
I'm having the same issue. Did you a get a reply from Okta regarding the case you opened with them concerning this issue? Hope to hear from you. Thank you.
Adekunle - I'm trying to post the steps we used to resolve but I keep getting an error when responding. Can you ping me offline and i'll send them to you?
Contact Okta support and let them know you need to see your Active Directory listed under Profile master priority in the Okta profile Okta Admin, Directory, Profile editor
Under the Okta profile, create a custom attribute as follows:
* Type: boolean
* DisplayName: we used msExchHideFromAddressLists
* Description: we used Hide From GAL
* User Permission: Read Only
* Master Priority: Inherit from Okta. This is the most important step, allowing you to edit this attribute if Okta account is mastered by AD, etc.
* Save Attribute
In profile editor, choose your Office 365 app, click profile and add attribute
* Type: boolean
* DisplayName: we used msExchHideFromAddressLists
* Description: we used Hide From GAL
* Save Attribute
Go to map attributes in the O365 app. At the top, make sure the direction is Okta to O365
Locate the O365 attribute created above. On the left hand side, start typing the name of the okta attribute you created and Create the mapping. Hit apply update
Locate a user in Okta, choose Edit and you should now see the attribute you created above. Set to true hide, false to show. Default is undefined
If you're not familiar with universal directory or the profile editor, contact Okta support for help. IMO, Okta should have this functionality built in.
I hope this helps.
Jeff
Hi Jeff,
Thank you very much. I followed your instructions and it worked for me. It took me almost a week. Though I'm still having issues with the users that had left since 6months ago. Thank you once again.
Adekunle - the steps to hide someone who left are a little different and it all depends on your off-boarding procedures. I'll assume the AD account still exists but is disabled, the Okta account still exists but it deactivated. Here is what we do:
Let me know if this helps.
Jeff
Hi Jeff,
I activated the formal users on okta which it assigned licenses to them. I follow your last step, Locate a user in Okta, choose Edit and you should now see the attribute you created above. Set to true hide, false to show. Default is undefined. And it worked. Thank you. All good.
Regards,
Adekunle
Hi Jeff,
Sorry to border you again. I tried to create user from my Active directory, the user was created successfully but the Okta refuses to create the user on Okta saying
msExchHideFromAddressLists Value for required property msExchHideFromAddressLists is missing.
Please have you come across this before. it seems to be the msExchHideFromAddressLists that is missing in the AD.
I even added an AD schema in active directory, create attribute of msExchHideFromAddressLists and set value to false but still not working. I don't know what I've done wrong.
Any help will be appreciated.
Regards,
Adekunle