GAL Segmentation – Separate domains in GAL
In this article you will learn how to perform GAL Segmentation to separate users of 2 or more domains.
- GAL Segmentation basis on departments in Microsoft 365 organization.
Scenario
- You have 2 domains in Microsoft 365 tenant, office365concepts.com and m365concepts.com.
- Users of office365concepts.com domain should be able to see only the users and groups of this domain. The users of this domain should not be able to see the users and groups of m365concepts.com domain.
- Users of m365concepts.com domain should be able to see only the users and groups of this domain. The users of this domain should not be able to see the users of office365concepts.com.
- Administrators should be able to see all the users and groups of both the domains.
Table of Contents
Below is are the domains, users and groups details in my Microsoft 365 organization. Both the domains have 2 user accounts and 1 distribution list. If you have more domains or users, you can follow the same steps as given below.
As shown in the below image, user [email protected] can see all the users and groups in the Default Global Address List.
And in the below image you can see, the user [email protected] can see all the users and groups in the default Global Address List.
How to perform GAL Segmentation in Microsoft 365
Now let’s separate the users and groups basis on the domains they are using, so that the users of 1 domain can’t see the users or groups of other domain. They should see the users and groups of their domain only.
Step 1. Connect to Exchange Online
Open Windows PowerShell and run below command to connect to Exchange Online.
Connect-ExchangeOnlineStep 2. Enable Organization Customization
Run below PowerShell command to enable organization customization.
Enable-OrganizationCustomizationStep 3. Create Role Group for Address Lists permission
In the next step we will create new RBAC role group for Address Lists and will add the administrator account as member.
Important: Creating RBAC group for Address Lists permission from Exchange Admin Center can take up to 24 hours for replication. I recommend you to assign this role group using PowerShell command as it takes lesser time for replication as compare to the changes done from GUI. Once role is assigned using PowerShell command, wait for sometime, close Windows PowerShell and open a new window. and connect to Exchange Online PowerShell again.
Create Role Group from Exchange Admin Center (EAC)
To create role group from Exchange Admin Center (EAC), expand Roles, click Admin roles, and click Add role group.
On the Set up the basics page, type a name for the role group and click Next.
On the Add permissions page, select Address lists permission and click Next.
On the Assign admins page add the administrator account that is going to make changes in Global Address List (GAL).
On the Review role group and finish page, click Add role group.
Create Role Group using PowerShell
To create a role group using PowerShell, run below command.
New-RoleGroup -Name "Address List" -Roles "Address Lists" -Members [email protected]The above command will create a role group with name Address List, it will add Address Lists permission in the role group, and will assign this role group to [email protected].
Note: You can assign Address Lists role group to an administrator of any domain of your organization. This admin account will be responsible to configure GAL Segmentation.
Step 4. Enable address book policy routing
Address book policy routing controls how recipients are resolved in an organization that uses address book policies to create separate virtual organizations within the same Exchange organization. Run below command to enable address book policy routing:
Set-TransportConfig –AddressBookPolicyRoutingEnabled $TrueStep 5. Update Custom Attribute for users and groups using PowerShell
In the next step of GAL segmentation, we will update the Custom Attribute value for the users and groups in both domains. We will add a value Office365Concepts in CustomAttribute1 for the users and groups that belong to office365concepts.com domain, and we will add value M365Concepts in the CustomAttribute1 for the users and groups that belong to m365concepts.com domain. You can update custom attribute value by using Exchange Admin Center (EAC) or PowerShell. We will use PowerShell commands to update custom attribute.
Update CustomAttribute1 for users and groups of office365concepts.com domain
Run below commands to update CustomAttribute1 for users of office365concepts.com domain:
Set-Mailbox -Identity [email protected] -CustomAttribute1 "Office365Concepts"
Set-Mailbox -Identity [email protected] -CustomAttribute1 "Office365Concepts"To update CustomAttribute1 value for the groups in office365concepts.com domain, run below command:
Set-DistributionGroup -Identity [email protected] -CustomAttribute1 "Office365Concepts"To verify the value of CustomAttribute1 for users and groups, run below command:
Get-Recipient | Where-Object {$_.CustomAttribute1 -eq "Office365Concepts"} | Select-Object DisplayName
Update CustomAttribute1 for users and groups of m365concepts.com domain
Run below commands to update CustomAttribute1 for users of m365concepts.com domain:
Set-Mailbox -Identity [email protected] -CustomAttribute1 "M365Concepts"
Set-Mailbox -Identity [email protected] -CustomAttribute1 "M365Concepts"To update CustomAttribute1 value for the groups in m365concepts.com domain, run below command:
Set-DistributionGroup -Identity [email protected] -CustomAttribute1 "M365Concepts"To verify the value of CustomAttribute1 for users and groups, run below command:
Get-Recipient | Where-Object {$_.CustomAttribute1 -eq "M365Concepts"} | Select-Object DisplayName
Step 6. Create Address Lists
In the next step of GAL Segmentation, we will create Address Lists for both office365concepts.com and m365concepts.com domains.
Create Address List for office365concepts.com domain
To create Address List for office365concepts.com domain, run below PowerShell command:
New-AddressList -Name "AL_Office365Concepts" -RecipientFilter {((RecipientType -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute1 -eq "Office365Concepts")}Create Address List for m365concepts.com domain
To create Address List for m365concepts.com domain, run below PowerShell command:
New-AddressList -Name "AL_M365Concepts" -RecipientFilter {((RecipientType -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute1 -eq "M365Concepts")}Step 7. Create Global Address Lists (GAL)
In the next step of GAL Segmentation, we will create Global Address Lists (GAL) using PowerShell commands for both office365concepts.com and m365concepts.com domains.
Create Global Address List for office365concepts.com domain
To create Global Address List (GAL) for office365concepts.com domain, run below PowerShell command:
New-GlobalAddressList -Name "GAL_Office365Concepts" -RecipientFilter {(CustomAttribute1 -eq "Office365Concepts")}Create Global Address List for m365concepts.com domain
To create Global Address List (GAL) for m365concepts.com domain, run below PowerShell command:
New-GlobalAddressList -Name "GAL_M365Concepts" -RecipientFilter {(CustomAttribute1 -eq "M365Concepts")}Step 8. Create Offline Address Books
In the next step, we will create Offline Address Books for office365concepts.com and m365concepts.com domains.
Create Offline Address Book for office365concepts.com domain
To create Offline Address Book for office365concepts.com domain, run below PowerShell command:
New-OfflineAddressBook -Name "OAB_Office365Concepts" -AddressLists "GAL_Office365Concepts"Create Offline Address Book for m365concepts.com domain
To create Offline Address Book for m365concepts.com domain, run below PowerShell command:
New-OfflineAddressBook -Name "OAB_M365Concepts" -AddressLists "GAL_M365Concepts"Step 9. Create Address Book Policies for both domains
In this step we will create Address Book Policies for both office365concepts.com and m365concepts.com domains.
Create Address Book Policy for office365concepts.com domain
To create Address Book Policy (ABP) for office365concepts.com domain, run below PowerShell command:
New-AddressBookPolicy -Name "ABP_Office365Concepts" -AddressLists "AL_Office365Concepts" -OfflineAddressBook "\OAB_Office365Concepts" -GlobalAddressList "\GAL_Office365Concepts" -RoomList "\All Rooms"Create Address Book Policy for m365concepts.com domain
To create Address Book Policy (ABP) for m365concepts.com domain, run below PowerShell command:
New-AddressBookPolicy -Name "ABP_M365Concepts" -AddressLists "AL_M365Concepts" -OfflineAddressBook "\OAB_M365Concepts" -GlobalAddressList "\GAL_M365Concepts" -RoomList "\All Rooms"Step 10. Assign Address Book Policies to users of both domains
In this step we will assign Address Book Policies to the users of both domains.
Assign Address Book Policy to office365concepts.com domain users
Run below command to assign address book policy to the users of office365concepts.com domain.
Get-Mailbox| where {$_.CustomAttribute1 -eq "Office365Concepts"}| Set-Mailbox -AddressBookPolicy "ABP_Office365Concepts"To verify, please run below command:
Get-Mailbox | where {$_.CustomAttribute1 -eq "Office365Concepts"}| Select-Object AddressBookPolicyAssign Address Book Policy to m365concepts.com domain users
Run below command to assign address book policy to the users of m365concepts.com domain.
Get-Mailbox| where {$_.CustomAttribute1 -eq "M365Concepts"} | Set-Mailbox -AddressBookPolicy "ABP_M365Concepts"To verify, please run below command:
Get-Mailbox | where {$_.CustomAttribute1 -eq "m365Concepts"}| Select-Object AddressBookPolicyNote: We will not create or apply Address Book Policy to the administrators as they will use default Global Address List (GAL) and Address Book Policy (ABP).
Results
In the below image you can see the new Global Address List (GAL) and Address List (AL) for the user of office365concepts.com domain.
And in the below image you can see the new Global Address List and Address List (AL) for the user of m365concepts.com domain
Conclusion
In this blog you learnt how to separate the users on the basis of the domain names they are using in your organization.
You might like our other article on GAL Segmentation on the basis of departments.
If you found this article helpful and informative, please share it within your community and do not forget to share your feedback in the comments below. Please join our YouTube channel for the latest videos on the Cloud technology and join our Newsletter for the early access of articles and updates.
Happy Learning!!