Scribd Logo
Upload

Welcome to Scribd!

  • What Is GAL Segmentation

    Uploaded by

    Bruce Amigo
    345 views3 pages
    GAL segmentation

    Original Title

    What is GAL Segmentation

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    GAL segmentation

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    345 views3 pages

    What Is GAL Segmentation

    Uploaded by

    Bruce Amigo
    GAL segmentation

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    What is GAL Segmentation

    GAL segmentation allows one to create an appearance of hosting multiple independent email
    organizations within the same Office 365 tenant. Administrators can create multiple address books and
    global address lists and filter them to only the specific contacts/mailboxes/groups. This makes it possible
    to lock down any given user to viewing contact details only of the employees they are supposed to see,
    creating an impression that the user is in a different Exchange / Office 365 organization.
    GAL segmentation isnt necessarily a new concept. It was possible to do this in on-prem Exchange 2010,
    Exchange 2007, and even as far back as Exchange 2003. But it is a somewhat new concept in Exchange
    Online and Office 365, and there isnt a great deal of information on it out there yet.
    Configure Prerequisites
    Before we can jump into setting up GAL objects and policies, we need to grant ourselves permissions to
    manage address lists in Office 365 (this permission is not enabled by default). We also need to enable
    Address Book Policy Routing in Exchange Online.
    Also, and this is important, check to make sure that you have either an Enterprise (E) or an Educational
    (A) Office 365 subscription level. Address book policy routing is currently not supported on lower
    subscription levels and instructions in this article will not work.
    Step 1: Grant Permissions to Manage Address Lists
    1. Log into portal.microsoftonline.com using a global administrator Office 365 account
    2. In the top menu bar, click on Admin and then Exchange
    3. You are now in Exchange Admin Center, EAC
    4. On the left, click Permissions
    5. Click on the plus sign to add a new Role Group
    1. Name: Address List Management
    2. Roles: add Address List role
    3. Members: add your global admin account as a member
    4. Save the role group
    Note: the steps above grant you access to New-GlobalAddressList and New-AddressList commands
    that will be used later in this article. If you cannot see Address List role, check your Office 365
    subscription level and make sure that it is Enterprise or Education level. Address List role does exist in
    Exchange Online but by default it is not assigned to grant GAL/address book management permissions
    to anyone.
    Step 2: Connect to Exchange Online PowerShell and Enable Address Book Policy
    Routing
    This step could be done on one of your ADFS farm servers that has Windows Azure Active Directory
    PowerShell (WAAD Posh) installed. Launch WAAD as Administrator (elevate if you have UAC enabled).
    Set-ExecutionPolicy RemoteSigned

    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -


    Credential (Get-Credential) -Authentication basic -AllowRedirection

    Import-PSSession $session
    This connects you to Exchange Online powershell session.
    To view the current ABP routing setting:
    Get-TransportConfig | fl AddressBookPolicyRoutingEnabled
    At this point lets go ahead and enable ABP routing in Exchange Online:
    Set-TransportConfig -AddressBookPolicyRoutingEnabled $true
    Re-run Get-TransportConfig commandlet to confirm that address book policy routing now shows as
    enabled.
    Note: if you get an error stating that Enable-OrganizationCustomization commandlet has not been run,
    execute it (without any parameters) and give it half an hour before reconnecting to Exchange Online and
    trying ABP routing operation again.
    Configure GAL Segmentation Based on Group Membership
    Group membership-based address lists and global address lists rely on MemberOf attribute filtering. To
    perform the next series of steps, you need to be connected to Exchange Online AND Office 365 tenant
    for some of the commands, so, continuing from Step 2 above where we connected to Exchange Online,
    we will go ahead and link up to MSOL service:
    Connect-MsolService
    Next we need to get the distinguished name of the distribution list that is replicated from our on-
    prem Active Directory using Office 365 Dirsync:
    $dn = (Get-DistributionGroup Test.Group).distinguishedName
    If you care to see how this DN looks on the Microsoft side, type $dn and hit enter. Next, create a new
    address list for resource mailboxes:
    New-AddressList -Name "Test.Resources" -RecipientFilter "RecipientDisplayType -eq 'ConferenceRoomMailbox' -
    and memberOfGroup -eq '$dn'"
    Pay special attention to apostrophes and double quotes. Next we are creating a new address list of user
    mailboxes:
    New-AddressList -Name "Test.Mailboxes" -RecipientFilter "RecipientType -eq 'UserMailbox' -and memberOfGroup -eq '$dn'" -
    DisplayName "Test Mailboxes List"
    Lets create a new Global Address List and Offline Address book now:
    New-GlobalAddressList -Name "Test.Gal" -RecipientFilter "MemberOfGroup -eq '$dn'"
    New-OfflineAddressBook -Name "Test.Oab" -AddressLists "Test.Gal"
    Finally, we are going to tie these lists together into a single address book policy object:
    New-AddressBookPolicy -Name "Test.Abp" -AddressLists "Test.Mailboxes" -OfflineAddressBook "\Test.Oab" -
    GlobalAddressList "\Test.Gal" -RoomList "\Test.Resources"
    All address book objects are now in place and the last remaining step is to actually assign an address
    book policy to our user objects, which is what ultimately filters or segments their GAL views. There is a
    variety of ways to perform this assignment. The one provided here is by no means the only one or the
    most elegant one, but it works. First, get the guid of the Office 365 group that was used for address
    book filtering:
    Get-MsolGroup
    Guids will be displayed in the left column. Find the one opposite Test.Group that was used in the
    example above.
    You have to have Exchange Online and Office 365 connections in the same WAAD PowerShell session for
    the next step. Substitute GUID with the actual GUID, you dont need to use single or double quotes
    around the GUID for this to work.
    Get-Mailbox -ResultSize unlimited | Where-Object {$_.ExternalDirectoryObjectId -in (Get-MsolGroupMember -
    GroupObjectId GUID).objectid} | Set-Mailbox -AddressBookPolicy "Test.Abp"
    This command grabs object IDs of all members of our test group, gets their associated mailboxes, and
    pipes them into commandlet that assigns the new address book policy. Its not the
    prettiest powershell command but it does the trick, and can be scheduled to run periodically so that
    newly created users who have membership in the Test.Group get the right GAL automatically.
    To confirm that your assignment command worked successfully:
    Get-Mailbox | fl displayName, AddressBookPolicy
    Configure GAL Segmentation Based on Office Attribute
    Office attribute in on-prem Active Directory maps to physicalDeliveryOfficeName in Exchange Online.
    The approach is the same as above: we need to create 1) resource address list, 2) mailbox address list, 3)
    GAL 4) offline address book based on GAL, then 5) create a new address book policy combining the 4
    elements above, and finally 6) assign the new address book policy to mailboxes, which in this case have
    a certain string in the Office attribute.
    This next batch of commands requires only Exchange Online powershell session (see step 2 above).
    New-AddressList -Name "AL_Flexecom_Rooms" -RecipientFilter "RecipientDisplayType -eq 'ConferenceRoomMailbox' -and
    Office -eq 'Toronto'"
    New-AddressList -Name "AL_Flexecom" -RecipientFilter "RecipientType -eq 'UserMailbox' -and Office -eq 'Toronto'" -
    DisplayName "Flexecom Toronto Address List"
    New-GlobalAddressList -Name "GAL_Flexecom" -RecipientFilter "Office -eq 'Toronto'"
    New-OfflineAddressBook -Name "OAB_Flexecom" -AddressLists "GAL_Flexecom"
    New-AddressBookPolicy -Name "ABP_Flexecom" -AddressLists "AL_Flexecom" -OfflineAddressBook "\OAB_Flexecom" -
    GlobalAddressList "\GAL_Flexecom" -RoomList "\AL_Flexecom_Rooms"
    For the next command we have to have a connection to both, Exchange Online powershell as well as
    MSOL / Office 365.
    Get-Mailbox -ResultSize unlimited | Where-Object {$_.ExternalDirectoryObjectId -in (Get-MsolUser | Where-Object {$_.office -
    eq 'Flexecom'}).objectid} | Set-Mailbox -AddressBookPolicy "ABP_Flexecom"
    This last command gets objectIDs of all user objects from Office 365 directory where Office attribute is
    set to Flexecom, then uses this objectID list to query Exchange Online mailboxes
    where ExternalDirectoryObjectID attribute matches one of the objectIDs from Office 365, then finally
    pipes the mailboxes into a commandlet that performs address book assignments.
    This may look hairy but it really isnt all that complicated once you do it one or two times, and it does
    work great!

    You might also like