Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Using Exchange Address Book Policies with Teams

Teams Uses the Office 365 Toolbox

One of the nice things about Teams is that it makes full use of components available in the Office 365 software toolbox. There’s no question about reinventing wheels when perfectly good wheels are available for reuse. Teams uses Exchange for a calendar and compliance records, SharePoint for document storage, OneDrive for Business for personal sharing, and so on. It’s absolutely the right attitude to take.

The latest component adopted by Teams is directory segmentation, or the ability to give different views of directory contents to selected users. This feature is called Address Book Policies (ABPs) and first appeared in Exchange 2013.

Directory Views

Directory segmentation is often used by organizations like conglomerates made up of different operating companies or schools that have different colleges. The organization has a common infrastructure (in this case, Office 365), but wishes to limit what users can see. For example, they might decide that a user can only see other employees in the same company, or in the same country. An address book policy implements the limitation by giving users a customized view of the Global Address Book (GAL).

An ABP is made up of four parts:

A custom GAL.
A custom Offline Address Book (OAB).
One or more custom address lists.
A custom room list.

If you don’t use ABPs, Exchange Online mailboxes use the default GAL, OAB, and address lists.

Filtered Views

Creating an ABP is a matter of defining the recipient filters for Exchange to create the custom views used by the ABP. For example, running the Get-GlobalAddressList cmdlet reveals the available GAL views defined in the tenant.

Get-GlobalAddressList

Name                        RecipientFilter
----                        ---------------
France GAL                  CustomAttribute10 -eq ‘France’
Default Global Address List ((Alias -ne $null) -and (((ObjectClass -eq 'user') -or (ObjectClass -eq 'contact') -or (ObjectClass -eq 'msExchSystemMailbox') -or (ObjectClass -eq 'msExchDynamicDistributionList') -or (ObjectClass -eq 'group') -or (ObjectClass -eq 'publicFolder'))))

Two GALs are available. The first is a custom GAL (France GAL) with a recipient filter that finds any mail-enabled object with a value of “France” in its CustomAttribute10 property. The second is the default GAL with a recipient filter that includes all mail-enabled objects.

If we then run the Get-AddressBookPolicy cmdlet to see if any ABPs are defined, we see that there is one called “France ABP” and that its views are named appropriately. We can see the filters used for these views with the Get-OffilineAddressBook and GetAddressList cmdlets.

Get-AddressBookPolicy

Name            GlobalAddressList AddressLists          OfflineAddressBook RoomList
----            ----------------- ------------          ------------------ --------
Engineering ABP \France GAL       {\France-Contacts...} \France OAB        \France-Rooms

Assigning to Mailboxes

An ABP is assigned to a mailbox by setting the AddressBookPolicy property of the mailbox. To check what ABPs are in place for mailboxes, run the Get-Mailbox cmdlet:

Get-Mailbox -RecipientTypeDetails UserMailbox -Filter {AddressBookPolicy -ne $Null} | Format-Table DisplayName, Alias, AddressBookPolicy

DisplayName                            Alias         AddressBookPolicy
-----------                            -----         -----------------
Kevin A. Laahs                         kal           France ABP
Paul Cunningham                        PCunningham   France ABP
Sanjay Patel                           Sanjay.Patel  France ABP
Natasha Jones                          Natasha.Jones France ABP

To assign an ABP, run Set-Mailbox to update the property

Set-Mailbox -Identity Brian.Weakliam -AddressBookPolicy "France ABP"

Using ABPs with Teams

ABPs are obviously useful to Exchange, but they are also used by Teams for the same reason: to segment your directory into sections accessible to different groups of users. To enable address book policies for Teams, go to the Org-wide settings section of the Teams and Skype for Business Online Admin Center, select Teams settings, and then toggle the switch for Scope directory search in Teams using an Exchange address book policy to On (Figure 1).

Enabling Teams ABPs — Figure 1: Switching on ABPs for Teams (image credit: Tony Redmond)

After refreshing its cache, Teams clients (version 1.1.00.28562 onwards) will respect the address book policy setting for user mailboxes and restrict users to selecting other users in the ABP when they start a chat. If they try to contact someone outside the ABP, Teams signals an error (Figure 2).

Figure 2: Error generated when a user tries to contact someone outside their ABP (image credit: Tony Redmond)

Not a Complete Block

Just like Exchange users can communicate with people outside their ABP by entering the SMTP address of a recipient, the use of ABPs in Teams is not a complete block.

For instance, the membership of teams that someone belongs to might include people inside and outside the scope of an ABP (including org-wide teams). Any member of a team can select another member and chat without them without hindrance, perhaps after browsing the full membership of the team with the Manage team menu option.

You can also use the organization link in a people card to traverse the structure of an organization to find someone interesting to communicate with. ABPs don’t stop this behavior. For example, if Natasha chats with Sanjay, she can follow Sanjay through the organization to find other people (Figure 3).

Teams Org — Figure 3: Viewing organizational information in Teams (image credit: Tony Redmond)

One Part of a Solution

Teams is designed to foster communication, not stop it and ABPs are not intended to be a full block on interpersonal communication between different sections of an organization. Other methods like transport rules exist for that purpose in email, and if you want a full block in Teams, you’ll have to pay attention to the membership of teams, making teams private rather than public, not using org-wide teams, and not publishing organizational structures in Azure Active Directory.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

by Tony Redmond
Nov 4, 2018

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with c...

How to Connect to Exchange Online Using PowerShell

Jun 9, 2023
Dec 05, 2023
Microsoft Says Chinese Hackers Compromised Exchange Email Accounts

Jul 13, 2023
How to Get Started With Exchange Online Archiving

Jun 16, 2023
Aug 11, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.