Published: May 1, 2022
Update from Mar 5, 2023: Microsoft confirmed this as valid solution.
Update from May 20, 2024: still true
Update from June 12, 2024: I have just found “ABP in Exchange Online“… Looking into it…
Scenario
You want specific users do not appear in Microsoft 365 SharePoint, Teams or Outlook search results. For instance, when user left company and the account is not deleted, but just disabled in Entra Id (Azure AD), so account is present and searchable. Or there are two accounts of the same person – main one and a secondary one – so you want secondary account is removed from org structure and search. Etc.
Solution
Set “ShowInAddressList” Azure AD User object property to false.
It’s done using Az module, e.g. with PowerShell:
Update-AzADUser -UPNOrObjectId $upn -ShowInAddressList:$falseDetailed
In many cases we do not need some accounts to appear in Microsoft 365 Search. Examples are:
a) secondary or admin accounts
e.g. a person have several roles and several accounts under the same name, e.g.
regular user: John Smith John.Smith@contoso.com
administrative account: John Smith John.Smith.Admin@contoso.com
b) role, shared or service accounts: marketing@contoso.com
c) non-mail-enabled objects
d) disabled accounts
Getting multiple search results for the same person might confuse users and even lead to miscommunication and broken processes.
There is a good article by Tania Menice (Microsoft): Exclude Users From Delve and SharePoint Online People Search with the latest updates explaining how it is done for classic search and stating that currently it is not possible for modern search, but Microsoft is working on it.
In short, the article says:
- Set the profiles AD property msExchHideFromAddressLists to True or Yes,
- Sync/wait, so finally SharePoint UPA service SPS-HideFromAddressLists property will be updated (as it is mapped to msExchHideFromAddressLists AD property)
- Under SharePoint classic search – update query to:
{searchboxquery} -“SPS-HideFromAddressLists”:1
It works perfect for classic search. The problem is it does not work as expected in modern Microsoft Search.
“People” vertical is not customizable so far. So we cannot change query in Microsoft 365 search to do the same trick. But… it seems like Microsoft is working on it so finally it should be done by some kind of ootb config.
Here is how different services or search entry points respect SPS-HideFromAddressLists SharePoint UPA property:
| Microsoft 365 Service or Search Entry point | respect SPS-HideFromAddressLists (msExchHideFromAddressLists) |
| web Outlook “New message” user picker | Yes |
| web Outlook “Contacts” | Yes |
| Office.com “All” vertical | Yes |
| Office.com “People” vertical | No |
| SharePoint landing page “All” vertical | Yes |
| SharePoint landing page “People” vertical | No |
| Bing Work All Vertical | Yes |
| Bing Work People Vertical | Yes |
So only “People” vertical in Microsoft search does not respect SPS-HideFromAddressLists (msExchHideFromAddressLists).
(Modern) Microsoft 365 Search
What about cloud-based accounts (not synchronized from local AD)?
There is a configuration setting “Show in global address list” that does the same job. It’s under Microsoft 365 admin center -> Active Users -> User – Edit -> Mail -> Show in global address list:
And another configuration settings “Hide from global address list (GAL)” under Exchange Admin Center:
I tested behavior for different kind of accounts and here are results:
| User Account | #1 | #2 | #3 | #4 | #5 |
| Enabled | Yes | No | Yes | Yes | Yes |
| Licensed (E5) | No | Yes | Yes | Yes | Yes |
| m365 Admin Center: Show in Global Address List | n/a | No | No | Yes | No |
| Exchange Admin Center: Hide from global address list (GAL) | n/a | Yes | Yes | No | Yes |
| ShowInAddressList Entra Id property value | null | null | null | null | False |
| SPO UPA ‘SPS-HideFromAddressLists‘ value | False | False | False | False | True |
| Outlook Address List “All Users” | Shown | ||||
| Office.com Search: Vertical “All” | Shown | ||||
| Office.com Search: Vertical “People” | Shown | Shown | Shown | Shown | |
| Bing Work Search: All/People verticals | Shown | Shown | |||
| Teams Search: “All” Vertical | Shown | Shown | |||
| Teams Search: “People” vertical | Shown | Shown | Shown | Shown | |
| Microsoft 365 Profile card – Organization | Shown | Shown | |||
| Teams Profile card – Organization | Shown | Shown | Shown | Shown | |
| Teams People Picker | Shown | Shown | Shown | Shown | |
| SharePoint People Picker | Shown | ||||
| Outlook People Picker: | Shown |
It seems confusing we have 4 properties responsible for the same:
- “Show in Global Address List” under m365 Admin Center
- “Hide from global address list (GAL)” under Exchange Admin Center
- “ShowInAddressList” Azure AD User object property
- “SPS-HideFromAddressLists” SharePoint User Profile property
Are these properties related to each other?
Let’s test it:
| Action-Consequences (immediate reaction – minutes if not other mentioned) | “Show in Global Address List” under m365 Admin Center | “Hide from global address list (GAL)” under Exchange Admin Center | ShowInAddressList Azure AD User object property | SPS-HideFromAddressLists SharePoint User Profile property |
| New user created, license assigned | Yes | Off | null | False |
| Uncheck “Show in my organization address list” under Microsoft 365 admin center | No | On | after one minute: null after 24 hours: null | after one minute: False after 24 hours: False |
| Set “ShowInAddressList” Azure AD User object property to “True” | Yes | Off | True | False |
| Set “ShowInAddressList” Azure AD User object property to “False” | No | On | False | True |
Note: AzureAD module is deprecated, but Az module works fine here. I.e. Get-AzADUser instead of Get-AzureADUser and Update-AzADUser instead of Set-AzureADUser.
Check my code samples here.
Findings:
- “Show in Global Address List” under m365 Admin Center and “Hide from global address list (GAL)” under Exchange Admin Center – same switch, i.e. if you change one – another is updated automatically
Neither of them affect “ShowInAddressList” Azure AD User object property or “SPS-HideFromAddressLists” SharePoint User Profile property - “SPS-HideFromAddressLists” SharePoint User Profile property is not changeable.
If you try to change the property value you get an error message:
“Set-PnPUserProfileProperty : Property Not Editable: This property can not be modified.“ - “ShowInAddressList” Azure AD User object property is editable and synchronized to “Show in Global Address List” under m365 Admin Center and “Hide from global address list (GAL)” under Exchange Admin Center, and also with “SPS-HideFromAddressLists” SharePoint User Profile property (takes minutes), but then search crawler must pick this change up (takes hours) to hide/show the user (this was tested and validated for cloud-born accounts only)
- here Microsoft says: regarding showInAddressList – Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list. See Known issue.
- Known issue (Microsoft): showInAddressList property is out of sync with Microsoft Exchange. When querying users through Microsoft Graph, the showInAddressList property may not indicate the same status shown in Microsoft Exchange. We recommend you manage this functionality directly with Microsoft Exchange through the Microsoft 365 admin center and not to use this property in Microsoft Graph.
Disclaimer
I used and tested all cloud-born accounts only. I do not have on-prem AD, so If your users are synchronized from local AD – do your own research – is this property synced from some local AD property, and if so – set AD property instead.
Bottom line
Setting “ShowInAddressList” Azure AD User object property to “false” is the most effective way to hide user account from search, but it could be changed only with PowerShell:
Get-AzADUser -UserPrincipalName $upn -Select AccountEnabled, ShowInAddressList -AppendSelected
Update-AzADUser -UPNOrObjectId $upn -ShowInAddressList:$false
Microsoft’s vision on this is unclear.
Video tutorial
Here is the video tutorial on the same – excluding account from people search in Microsoft 365
References
- Microsoft: Exclude Users From Delve and SharePoint Online People Search
- Microsoft: IMicrosoftGraphUser.ShowInAddressList Property
- Microsoft: Microsoft Graph user resource type
- Vladilen: Search and Refine against custom user profile attributes
- Vladilen: Microsoft 365 People Search by Nickname
- Microsoft: Limit who users can see when searching the directory in Teams
- Microsoft: Address book policies in Exchange Online
Pingback: How to remove service accounts from people search in SharePoint or Office 365 (Classic search) ⋆ SharePoint Vlad
Pingback: Microsoft Search People Custom User Profile Property ⋆ SharePoint Vlad
Does this also remove the user from the Organization view in Teams/Outlook?
Yes, this removes account from org view in Teams and Outlook
Thanks for sharing! I have a hard time understanding why the People vertical at the organization level can’t be tailored to the organization needs, but I guess we just have to wait another year. As far as I know it isn’t even on the road map yet 🤨
TY for your feedback!
How can a hide a admin user without license from the teams addressbook? As this is a cloud only user, we do not have any hide from GAL or ShowInAddressList feature.
“ShowInAddressList” is an Azure AD User object property. Set it to False if you want to hide user from Teams
So we need an Azure E5 license to be able to hide a user in Teams?
We tried to change this setting ShowInAddressList in hybrid AD sync scenario. But it looks like impossible to set this value.
Set-AzureADUser -ObjectId $user.ObjectId -ShowInAddressList $false (feedback: Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
Set-ADUser (not possible to edit this attribute). So then try to change this attribute by making use of Active Directory Users and Computers. Client is throwing and error on the screen: Operation failed. Error code: 0x20b5 the name reference is invalid.
Anyone knowing an proper solution to reach this solution? Lots of thanks 🙂
Hi Mark,
I was able to validate solution only with cloud-born accounts.
I will try AD sync scenario, but at the moment I do not have a proved answer.
I’d guess this property should be synced from some on-prem property, so the question is from what on-prem property.
Have you found the right on-prem property to validate that this works with AD synced accounts also?
ShowInAddressList set to false does not seem work to hide guest users in the teams search. Not sure what else I could do
has any one found answer to the issue as ShowInAddressList set to false does not seem work to hide guest users in the teams search.
Hi Vladilen,
Thank you for your guides and they are fantastic. I have followed the steps from the PowerShell and I am able to hide two test accounts. I did that this morning and after 1hr or so, I wont be able to see them on Outlook and Teams which is fantastic but for some reason when I checked them again in the afternoon, they appeared again in Outlook and Teams. Any idea? These accounts are cloud-born accounts. TIA
Trying this today and I seem unable to set the parameter ‘ShowInAddressList’. It just says the parameter cannot be found. I also cannot use -Select from the first step.
Have these features been removed?
let me check
Yep, the ShowInAddressList not longer shows. Seems like it can’t be updated from Powershell anymore.
Update-AzADUser -Upn xxxxx -ShowInAddressList:$false this command worked but when I do
Get-AzADUser -UserPrincipalName xxxxx -Select AccountEnabled, ShowInAddressList -AppendSelected it does not show the field ShowInAddressLis.
thanks for the heads-up…
maybe Microsoft is working on it… hopefully they’ll fix inconsistency and provide us with a working solution
Update:
I have just tested my two tenants – all works the same way as before – I can change ShowInAddressList property and changed values are displayed correctly.
This property should be synced to “Show in Global Address List” under m365 Admin Center and “Hide from global address list (GAL)” under Exchange Admin Center,
can you validate?
When I search in Teams and portal.office.com, the accounts do not show. So it seems to have worked. However, I’m trying to use the Webpart ‘People directory’ in SharePoint, but the accounts show up there when I search. Seems to be some disconnect. I also added the {searchboxquery} -“SPS-HideFromAddressLists”:1 which works for the classic search but not the modern one. Thanks for checking. Sincerely appreciated.