I'm just wondering if anyone has successfully managed to implement a solution to hide and unhide mailbox enabled users from the global address list in Exchange 2007 (or 2010/2013) using FIM 2010 (or R2) ?

I've seen a couple of posts related to the same question but the only suggestion was to set msExchHideFromAddressLists to TRUE to hide and remove / set to "FALSE" to unhide.  However in my previous role I was an Exchange admin and I'm not sure this (a) works properly (see http://social.technet.microsoft.com/Forums/en-US/1bfc1f51-fcab-41c0-a44e-43f98565b1bf/hide-email-address-from-global-address-list-exchange-2007) (b) is supported from an Exchange perspective.

I've done some before / after testing of changing the "Hide from Exchange address lists" using either the Exchange management console or management shell, and in addition to changing the "msExchHideFromAddressLists" attribute, the "showInAddressBook" attribute is also updated at the same time.  So, to hide :

"msExchHideFromAddressLists" is set to "True"
"showInAddressBook" is set to null / blanked out

Easy enough to do in a rules extension, but the problem arises when you want to unhide a mailbox from the GAL, in which case you have to set "msExchHideFromAddressLists" to False/Null, but how do you repopulate "showInAddressBook" ?  when you use the EMC/EMS Exchange does some under the covers stuff to repopulate that attribute.  It used to be a function of RUS in Exchange 2003 but since 2007 RUS no longer exists.  You can set "msExchHideFromAddressLists" to null and then run "Update-Recipient" in powershell (similar to what FIM does following exchange provisioning) and this does populate "showInAddressBook" but then you've got to call powershell somehow.

All of the Exchange related posts I've read say basically use either the EMC or EMS, so I was just wondering if anyone had achieved this using FIM and if so how ?  the only way I can think of doing this is having a MPR/Set/Workflow in the portal that kicks off a bit of powershell, but I was wondering if anyone had done this using the sync server/attribute flows/rules extensions, that kind of thing ?

Have you checked if you just change "msExchHideFromAddressLists" to FALSE or TRUE, the exchange powershell extension for the AD MA is executed? (I'm not sure if it does or not)

Another way to (de)provision mailboxes, is for example by using a powershell MA that executes the Exchange PoSH CMDlets. Soren Granfelt has one for free.

http://blog.goverco.com/p/powershell-management-agent.html

by the way....regarding the PowerShell MA, check out the upcoming FIM User Group meeting. Soren will present about his PowerShell MA. A must see!

http://blog.goverco.com/2013/06/fim-team-user-group.html

Hi Jorge, thanks for the quick reply, I never thought to actually try it and see !! :-)

I've just set up an attribute flow / rules extension setting just "msExchHideFromAddressLists" to True/False and it looks like it is also setting showInAddressBook correctly. I've tried hiding / unhiding a few times and you are correct, it looks like the AD MA is automagically running a bit of powershell in the background. I'm guessing it is running an update-recipient kind of thing, I have to admit I thought it only did this for provisioning but appears to do for attribute flows also.

Excellent, that answers my question.

Thanks for your help.

Do you know how DirSync handles this kind of thing with Office365 by the way.  We're (going to be) using a hybrid on-premise + O365 environment but we're likely to be using the MS OMA in our existing FIM installation rather than a separate DirSync appliance and I'm wondering about hiding from the GAL in our O365 tenancy also. We have a "sandpit" dirsync installed in a test environment so I can see what it looks like it is doing.  In DirSync just the "msExchHideFromAddressLists" attribute is flowed but not "showInAddressBook". I was just wondering if DirSync does some of the same "under the covers" stuff (doesn't it use a web services connection to O365 rather than the remote powershell connection ?).  Just wondering if you know whether just setting "msExchHideFromAddressLists" is also equally as valid for Office365 too ?