Hide the On-Premises Sync account from Azure AD

Graham CaparuloPro Tip

If you’re using a hybrid AD / Azure AD environment, you will be all too familiar with syncing user attributes such as msExchHideFromAddressLists and ShowInAddressList. The goal of which being to hide user and other object from the Global Address List (GAL) and other Address Lists.

On installation and setup, Azure AD Connect creates an ‘Azure AD Connector account’ in order to write information to Azure AD. This account has a display name of ‘On-Premises Directory Synchronization Service Account’ and for some unknown reason, not hidden by default.

You may find that this account is discoverable in certain O365 applications that return search objects straight from Azure AD. For us and many of our clients, this behavior is undesirable.

Depending on your Teams search scope, the account may be discoverable in a search.

Why is this? What’s the solution? How do we hide this account from Address Lists?

Simple right? Just set the appropriate attribute in Azure AD to hide it. Not so simple, actually – here’s what happens when we run a command to do so:

set AzureADUser -ObjectID “Sync_YOUR_AADCONNECT_MACHINE_NAME_UNIQUEID@xxx.xxx.com” -ShowInAddressList $False

AzureAD reports back that this account can’t be modified since it’s an OnPrem AD Account.

So? Just find the account in OnPrem AD and set the msExchHideFromAddressLists attribute, right? Nope. The account doesn’t exist – you wont’ be able to find it.

Until Microsoft decides to hide the account by default, the solution that we came up with was to temporarily disable DirSync, which then allowed us to modify the Azure AD object attributes. We then re-enabled DirSync.

Here are the commands to be ran against the Azure AD tenant using the Connect-MsolService powershell module.

Disable DirSync:
Set-MsolDirSyncEnabled -EnableDirSync $true

Hide the account:
set-AzureADUser -objectid “Sync_YOUR_AADCONNECT_MACHINE_NAME_UNIQUEID@xxx.xxx.com-showinaddresslist $false

Enable DirSync:
Set-MsolDirSyncEnabled -EnableDirSync $true

(note: depending on how many AzureAD object you have, you may need to wait u to 72 hours to re-enable DirSync. Ours allowed the command after about 3 hours, with around 300 objects).