Hide User from Microsoft 365 People Search (for real)

Update from Mar 5, 2023: Microsoft confirmed this as valid solution.

Scenario

You want specific users do not appear in Microsoft 365 SharePoint, Teams or Outlook search results. For instance, when user left company and the account is not deleted, but just disabled in Entra Id (Azure AD), so account is present and searchable. Or there are two accounts of the same person – main one and a secondary one – so you want secondary account is removed from org structure and search. Etc.

Solution

Set “ShowInAddressList” Azure AD User object property to false. If users are synchronized from local AD – set AD property instead.

Detailed

In many cases we do not need some accounts appear in Microsoft 365 Search. Examples of are:

a) secondary/admin accounts
e.g. a person have several roles and several accounts under the same name, e.g.
regular user: John Smith John.Smith@contoso.com
administrative account: John Smith John.Smith.2@contoso.com
b) role, shared or service accounts
c) non-mail-enabled objects
d) disabled accounts

Getting multiple results for the same one person might confuse users and even lead to miscommunication and broken processes.

There is a good article by Tania Menice (Microsoft): Exclude Users From Delve and SharePoint Online People Search with the latest updates explaining how it is done for classic search and stating that currently it is not possible for modern search, but Microsoft is working on it.

Basically, the article says:

  • Set the profiles AD property msExchHideFromAddressLists to True or Yes,
  • Sync/wait, so finally SharePoint UPA service SPS-HideFromAddressLists property will be set (msExchHideFromAddressLists AD property is mapped to the UPA SPS-HideFromAddressLists)
  • Under SharePoint classic search – update query:
    {searchboxquery} to {searchboxquery} -“SPS-HideFromAddressLists”:1

It works perfect for classic search. The problem is it does not work as expected in modern Microsoft Search.

“People” vertical is not customizable so far. So we cannot change query in Microsoft 365 search to do the same trick. But… it seems like Microsoft is working on it so finally it should be done by ootb means.

Here is the current situation on how different services or search entry points respect SPS-HideFromAddressLists property:

Microsoft 365 Service or Search Entry pointrespect SPS-HideFromAddressLists
(msExchHideFromAddressLists)
web Outlook “New message” user pickerYes
web Outlook “Contacts”Yes
Office.com “All” verticalYes
Office.com “People” verticalNo
SharePoint landing page “All” verticalYes
SharePoint landing page “People” verticalNo
Bing Work All VerticalYes
Bing Work People VerticalYes

So only “People” vertical in Microsoft search does not respect SPS-HideFromAddressLists (msExchHideFromAddressLists).

What about cloud-based accounts (not synchronized from local AD)?

There is a configuration setting “Show in global address list” that does the same job. It’s under Microsoft 365 admin center -> Active Users -> User – Edit -> Mail -> Show in global address list:

And another configuration settings “Hide from global address list (GAL)” under Exchange Admin Center:

Here are experiment results:

User Account12345
EnabledYesNoYesYesYes
Licensed (E5)NoYesYesYesYes
m365 Admin Center: Show in Global Address Listn/aNoNoYesNo
Exchange Admin Center: Hide from global address list (GAL)n/aYesYesNoYes
Get-AzADUser -UserPrincipalName <upn> -Select ShowInAddressList -AppendSelected | Select-Object UserPrincipalName, ShowInAddressListnullnullnullnullFalse
SPO UPA ‘SPS-HideFromAddressLists‘ valueFalseFalseFalseFalseTrue
Outlook Address List “All Users” Shown
Office.com Search: Vertical “All”Shown
Office.com Search: Vertical “People”ShownShownShownShown
Bing Work Search: All/People verticalsShownShown
Teams Search: “All” VerticalShownShown
Teams Search: “People” verticalShownShownShownShown
Microsoft 365 Profile card – OrganizationShownShown
Teams Profile card – OrganizationShownShownShownShown
Teams People PickerShownShownShownShown
SharePoint People PickerShown
Outlook People Picker:Shown
* – some users can see changes after hours, for some it takes days

It seems confusing we have properties:

  • “Show in Global Address List” under m365 Admin Center
  • “Hide from global address list (GAL)” under Exchange Admin Center
  • “ShowInAddressList” Azure AD User object property
  • “SPS-HideFromAddressLists” SharePoint User Profile property

Are these properties related to each other?

Let’s test it:

Action-Consequences
(immediate reaction – minutes if not other mentioned)
“Show in Global Address List”
under m365 Admin Center
“Hide from global address list (GAL)”
under Exchange Admin Center
“ShowInAddressList”
Azure AD User object property
“SPS-HideFromAddressLists”
SharePoint User Profile property
New user created, license assignedYesOffnullFalse
Uncheck “Show in my organization address list” under Microsoft 365 admin centerNoOnafter one minute: null
after 24 hours:
null
after one minute:
False
after 24 hours:
False
Set “ShowInAddressList”
Azure AD User object property to “True”
YesOffTrueFalse
Set “ShowInAddressList”
Azure AD User object property to “False”
NoOnFalseTrue

Note: Az module works fine too. I.e. Get-AzADUser instead of Get-AzureADUser and Set-AzADUser instead of Set-AzureADUser.

Findings:

  • “Show in Global Address List” under m365 Admin Center and “Hide from global address list (GAL)” under Exchange Admin Center – same switch, i.e. if you change one – another is updated automatically
    Neither of them affect “ShowInAddressList” Azure AD User object property or “SPS-HideFromAddressLists” SharePoint User Profile property
  • “SPS-HideFromAddressLists” SharePoint User Profile property is not changeable.
    If you try to change the property value you get an error message:
    Set-PnPUserProfileProperty : Property Not Editable: This property can not be modified.
  • “ShowInAddressList” Azure AD User object property is editable and synchronized to “SPS-HideFromAddressLists” SharePoint User Profile property (takes minutes)
    but then search crawler must pick this change up (takes hours) to hide/show the user
  • This solution was tested and validated for cloud-born accounts only.
  • here Microsoft says: regarding showInAddressList – Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list. See Known issue.
  • Known issue (Microsoft): showInAddressList property is out of sync with Microsoft Exchange. When querying users through Microsoft Graph, the showInAddressList property may not indicate the same status shown in Microsoft Exchange. We recommend you manage this functionality directly with Microsoft Exchange through the Microsoft 365 admin center and not to use this property in Microsoft Graph.

Bottom line

Setting “ShowInAddressList” Azure AD User object property to “false” is the most effective way to hide user account from search, but it could be changed only through API e.g. via PowerShell and Microsoft’s vision is unclear.

Video tutorial

Here is the video tutorial on the same – excluding account from people search in Microsoft 365

References

14 thoughts on “Hide User from Microsoft 365 People Search (for real)

  1. Pingback: How to remove service accounts from people search in SharePoint or Office 365 (Classic search) ⋆ SharePoint Vlad

  2. Pingback: Microsoft Search People Custom User Profile Property ⋆ SharePoint Vlad

  3. Kasper Larsen

    Thanks for sharing! I have a hard time understanding why the People vertical at the organization level can’t be tailored to the organization needs, but I guess we just have to wait another year. As far as I know it isn’t even on the road map yet 🤨

    Reply
  4. Yves

    How can a hide a admin user without license from the teams addressbook? As this is a cloud only user, we do not have any hide from GAL or ShowInAddressList feature.

    Reply
  5. Mark Gort

    We tried to change this setting ShowInAddressList in hybrid AD sync scenario. But it looks like impossible to set this value.

    Set-AzureADUser -ObjectId $user.ObjectId -ShowInAddressList $false (feedback: Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

    Set-ADUser (not possible to edit this attribute). So then try to change this attribute by making use of Active Directory Users and Computers. Client is throwing and error on the screen: Operation failed. Error code: 0x20b5 the name reference is invalid.

    Anyone knowing an proper solution to reach this solution? Lots of thanks 🙂

    Reply
    1. Vladilen Post author

      Hi Mark,

      I was able to validate solution only with cloud-born accounts.
      I will try AD sync scenario, but at the moment I do not have a proved answer.

      I’d guess this property should be synced from some on-prem property, so the question is from what on-prem property.

      Reply
      1. Kalervo Jankko

        Have you found the right on-prem property to validate that this works with AD synced accounts also?

  6. AZ

    ShowInAddressList set to false does not seem work to hide guest users in the teams search. Not sure what else I could do

    Reply
    1. Shey

      has any one found answer to the issue as ShowInAddressList set to false does not seem work to hide guest users in the teams search.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *