Published: May 1, 2022
Update from Mar 5, 2023: Microsoft confirmed this as valid solution.
Update from May 20, 2024: still true
Update from June 12, 2024: I have just found “ABP in Exchange Online“… Looking into it…
Scenario
You want specific users do not appear in Microsoft 365 SharePoint, Teams or Outlook search results. For instance, when user left company and the account is not deleted, but just disabled in Entra Id (Azure AD), so account is present and searchable. Or there are two accounts of the same person – main one and a secondary one – so you want secondary account is removed from org structure and search. Etc.
Solution
Set “ShowInAddressList” Azure AD User object property to false.
It’s done using Az module, e.g. with PowerShell:
Update-AzADUser -UPNOrObjectId $upn -ShowInAddressList:$falseDetailed
In many cases we do not need some accounts to appear in Microsoft 365 Search. Examples are:
a) secondary or admin accounts
e.g. a person have several roles and several accounts under the same name, e.g.
regular user: John Smith John.Smith@contoso.com
administrative account: John Smith John.Smith.Admin@contoso.com
b) role, shared or service accounts: marketing@contoso.com
c) non-mail-enabled objects
d) disabled accounts
Getting multiple search results for the same person might confuse users and even lead to miscommunication and broken processes.
There is a good article by Tania Menice (Microsoft): Exclude Users From Delve and SharePoint Online People Search with the latest updates explaining how it is done for classic search and stating that currently it is not possible for modern search, but Microsoft is working on it.
In short, the article says:
- Set the profiles AD property msExchHideFromAddressLists to True or Yes,
- Sync/wait, so finally SharePoint UPA service SPS-HideFromAddressLists property will be updated (as it is mapped to msExchHideFromAddressLists AD property)
- Under SharePoint classic search – update query to:
{searchboxquery} -“SPS-HideFromAddressLists”:1
It works perfect for classic search. The problem is it does not work as expected in modern Microsoft Search.
“People” vertical is not customizable so far. So we cannot change query in Microsoft 365 search to do the same trick. But… it seems like Microsoft is working on it so finally it should be done by some kind of ootb config.
Here is how different services or search entry points respect SPS-HideFromAddressLists SharePoint UPA property:
| Microsoft 365 Service or Search Entry point | respect SPS-HideFromAddressLists (msExchHideFromAddressLists) |
| web Outlook “New message” user picker | Yes |
| web Outlook “Contacts” | Yes |
| Office.com “All” vertical | Yes |
| Office.com “People” vertical | No |
| SharePoint landing page “All” vertical | Yes |
| SharePoint landing page “People” vertical | No |
| Bing Work All Vertical | Yes |
| Bing Work People Vertical | Yes |
So only “People” vertical in Microsoft search does not respect SPS-HideFromAddressLists (msExchHideFromAddressLists).
(Modern) Microsoft 365 Search
What about cloud-based accounts (not synchronized from local AD)?
There is a configuration setting “Show in global address list” that does the same job. It’s under Microsoft 365 admin center -> Active Users -> User – Edit -> Mail -> Show in global address list:
And another configuration settings “Hide from global address list (GAL)” under Exchange Admin Center:
I tested behavior for different kind of accounts and here are results:
| User Account | #1 | #2 | #3 | #4 | #5 |
| Enabled | Yes | No | Yes | Yes | Yes |
| Licensed (E5) | No | Yes | Yes | Yes | Yes |
| m365 Admin Center: Show in Global Address List | n/a | No | No | Yes | No |
| Exchange Admin Center: Hide from global address list (GAL) | n/a | Yes | Yes | No | Yes |
| ShowInAddressList Entra Id property value | null | null | null | null | False |
| SPO UPA ‘SPS-HideFromAddressLists‘ value | False | False | False | False | True |
| Outlook Address List “All Users” | Shown | ||||
| Office.com Search: Vertical “All” | Shown | ||||
| Office.com Search: Vertical “People” | Shown | Shown | Shown | Shown | |
| Bing Work Search: All/People verticals | Shown | Shown | |||
| Teams Search: “All” Vertical | Shown | Shown | |||
| Teams Search: “People” vertical | Shown | Shown | Shown | Shown | |
| Microsoft 365 Profile card – Organization | Shown | Shown | |||
| Teams Profile card – Organization | Shown | Shown | Shown | Shown | |
| Teams People Picker | Shown | Shown | Shown | Shown | |
| SharePoint People Picker | Shown | ||||
| Outlook People Picker: | Shown |
It seems confusing we have 4 properties responsible for the same:
- “Show in Global Address List” under m365 Admin Center
- “Hide from global address list (GAL)” under Exchange Admin Center
- “ShowInAddressList” Azure AD User object property
- “SPS-HideFromAddressLists” SharePoint User Profile property
Are these properties related to each other?
Let’s test it:
| Action-Consequences (immediate reaction – minutes if not other mentioned) | “Show in Global Address List” under m365 Admin Center | “Hide from global address list (GAL)” under Exchange Admin Center | ShowInAddressList Azure AD User object property | SPS-HideFromAddressLists SharePoint User Profile property |
| New user created, license assigned | Yes | Off | null | False |
| Uncheck “Show in my organization address list” under Microsoft 365 admin center | No | On | after one minute: null after 24 hours: null | after one minute: False after 24 hours: False |
| Set “ShowInAddressList” Azure AD User object property to “True” | Yes | Off | True | False |
| Set “ShowInAddressList” Azure AD User object property to “False” | No | On | False | True |
Note: AzureAD module is deprecated, but Az module works fine here. I.e. Get-AzADUser instead of Get-AzureADUser and Update-AzADUser instead of Set-AzureADUser.
Check my code samples here.
Findings:
- “Show in Global Address List” under m365 Admin Center and “Hide from global address list (GAL)” under Exchange Admin Center – same switch, i.e. if you change one – another is updated automatically
Neither of them affect “ShowInAddressList” Azure AD User object property or “SPS-HideFromAddressLists” SharePoint User Profile property - “SPS-HideFromAddressLists” SharePoint User Profile property is not changeable.
If you try to change the property value you get an error message:
“Set-PnPUserProfileProperty : Property Not Editable: This property can not be modified.“ - “ShowInAddressList” Azure AD User object property is editable and synchronized to “Show in Global Address List” under m365 Admin Center and “Hide from global address list (GAL)” under Exchange Admin Center, and also with “SPS-HideFromAddressLists” SharePoint User Profile property (takes minutes), but then search crawler must pick this change up (takes hours) to hide/show the user (this was tested and validated for cloud-born accounts only)
- here Microsoft says: regarding showInAddressList – Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list. See Known issue.
- Known issue (Microsoft): showInAddressList property is out of sync with Microsoft Exchange. When querying users through Microsoft Graph, the showInAddressList property may not indicate the same status shown in Microsoft Exchange. We recommend you manage this functionality directly with Microsoft Exchange through the Microsoft 365 admin center and not to use this property in Microsoft Graph.
Disclaimer
- I used and tested all cloud-born accounts only. I do not have on-prem AD, so If your users are synchronized from local AD – do your own research – is this property synced from some local AD property, and if so – set AD property instead.
- Microsoft is constantly changing the product. So what I found out here now might differ with what you work with.
- It’s a good idea to test/validate this solution in your non-prod environment and against test users in your prod environment.
Bottom line
Setting “ShowInAddressList” Azure AD User object property to “false” is the most effective way to hide user account from search, but it could be changed only with PowerShell:
Get-AzADUser -UserPrincipalName $upn -Select AccountEnabled, ShowInAddressList -AppendSelected
Update-AzADUser -UPNOrObjectId $upn -ShowInAddressList:$false
Microsoft’s vision on this is unclear.
Video tutorial
Here is the video tutorial on the same – excluding account from people search in Microsoft 365
References
- Microsoft: Exclude Users From Delve and SharePoint Online People Search
- Microsoft: IMicrosoftGraphUser.ShowInAddressList Property
- Microsoft: Microsoft Graph user resource type
- Vladilen: Search and Refine against custom user profile attributes
- Vladilen: Microsoft 365 People Search by Nickname
- Microsoft: Limit who users can see when searching the directory in Teams
- Microsoft: Address book policies in Exchange Online