Segmenting Your Microsoft 365 Global Address List for Multi-Domain Organisations

In an era where mergers, acquisitions and multi-academy consolidations are commonplace, centralising multiple domains into a single Microsoft 365 tenant delivers undeniable efficiencies in security, licensing and administration. Yet with consolidation comes the hidden risk of an unwieldy Global Address List (GAL) – a single directory that exposes every mailbox, group and resource across your entire tenant. For an education trust of a dozen schools, this can mean a teacher accidentally emailing safeguarding records to the wrong academy. For a merged enterprise, it may result in sensitive financial forecasts landing in a newly acquired subsidiary’s inbox.

 

This article presents a fully-up-to-date approach – using native Exchange Online Address Book Policies (ABPs) – to carve a monolithic GAL into secure, domain or division specific views You’ll gain:

 

  • An understanding of why a single GAL poses security, compliance and productivity challenges
  • A clear description of ABP components and their interplay
  • Detail and plain-English explanations of PowerShell implementation patterns
  • Expanded sections on Security & Compliance, Extending Segmentation into Teams and Beyond, and Governance

 

Wherever possible, I’ve drawn directly from Microsoft’s latest documentation to ensure accuracy.

Why a Single GAL Becomes a Liability

Many organisations believe a centralised directory is inherently beneficial: one search bar to rule them all. In practice, users endure information overload when they must sift through hundreds or thousands of irrelevant entries to find a colleague or resource. Worse, autocomplete treats internal and external addresses the same, so a slip of the finger can expose confidential data to unintended recipients.

 

For multi-academy education trusts, safeguarding student information is non-negotiable. A misplaced click can send pupil assessment data or pastoral notes to the wrong school, risking GDPR breaches and parental complaints. In corporate scenarios – say, a company acquiring a competitor – financial controllers might inadvertently share year-end bonus details with executives of the acquired entity. These are not hypothetical concerns; every mis-addressed email carries reputational damage, regulatory fines and erosion of stakeholder trust.

 

IT helpdesks bear the brunt of this chaos, fielding reported incident tickets such as “Why can’t I find Mrs Jones in my academy?” or “Why am I seeing rooms from the finance department?” These repetitive queries divert valuable IT capacity from strategic projects – be it rolling out a new learning-management system or deploying advanced security analytics. As tenant scale grows, so too do the hidden costs of a monolithic GAL.

Address Book Policies: Virtual Segmentation

Rather than fragment your environment into separate tenants – an approach that multiplies licences, security boundaries and operational overhead – Exchange Online’s Address Book Policies (ABPs) offer a “virtual partition” within your existing tenant. An ABP bundles together four filtered directory view components so that users see only the objects assigned to their business unit or academy all while retaining centralised governance and compliance controls.

 

At its core, an ABP comprises:

 

  1. A Global Address List (GAL) scoped by a recipient filter, defining which mail-enabled objects appear in name-resolution requests.
  2. An Offline Address Book (OAB) downloaded by Outlook clients in cached mode, ensuring offline users browse the same filtered directory.
  3. A Room List, for filtering resource mailboxes (meeting rooms, shared equipment) to prevent cross-unit booking conflicts.
  4. Custom Address Lists, enabling category-based browsing (e.g. by department or faculty) within the defined scope.

 

By tagging mailboxes using a custom attribute or SMTP domain suffix you drive these filters automatically, so new users immediately inherit the correct ABP without manual reassignment. The Address Book Policy Routing agent further enforces isolation by marking out-of-scope lookups as “external” ﹘ preventing misleading “internal” display names in autocomplete once you enable it with:

Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

Dissecting the Four ABP Pillars
Global Address List (GAL)

When a user types a name into the To: field in Outlook or OWA, the directory lookup consults the GAL. A domain-specific GAL (e.g. GAL_Contoso) ensures that Division A staff resolve only their own colleagues, distribution lists and contacts. This scoping is driven by a recipient filter, most commonly mapping CustomAttribute1 to a division code, such as “Contoso”.

Offline Address Book (OAB)

Outlook’s cached-mode clients download the OAB every eight hours by default. When you create an OAB that points to the same filtered GAL and address lists (e.g. OAB_Contoso), offline users maintain the same segmented experience even when disconnected from the network. This is critical for remote or bandwidth-constrained environments where cached-mode Outlook is the norm.

Room List

Resource mailboxes (meeting rooms, hot desks, equipment) often clutter the global directory. By creating a Room List object filtered on both the RecipientDisplayType (e.g. ConferenceRoomMailbox) and your division tag, you surface only the relevant rooms in meeting-room pickers preventing double bookings and administrative friction across units.

Custom Address Lists

Under each GAL, you can present one or more Custom Address Lists for instance, “Finance Teams” or “Faculty Staff” using the same division filter. These lists appear as categories in Outlook’s address-book pane, enabling structured browsing rather than free-form search. Together, all four components weave a seamless, tailored directory experience for each business unit.

Security & Compliance: Fortifying Your Boundaries

Segmentation does more than improve usability – it underpins your security and compliance strategy with multiple, reinforcing controls.

Data Loss Prevention (DLP) becomes markedly more precise

With a monolithic GAL, DLP policies must blanket the entire tenant, triggering false positives when users legitimately email across divisions. By contrast, ABP segmentation lets you craft targeted DLP rules that apply within each directory silo. For example, exam results can circulate freely within an academy but are blocked when addressed outside its ABP, sharply reducing administrative overhead in policy tuning and alert triage.

eDiscovery and legal-hold scenarios

Segmented GALs shrink your search scope. Compliance officers can restrict Content Searches to a single ABP, slashing processing time and data volumes. In education trusts, this ensures that subject-access requests remain tightly confined to the relevant academy, a critical requirement under GDPR and UK data-protection regulations.

Auditability improvement

Exchange’s Admin Audit Logs record ABP assignments and changes. Paired with Entra ID sign-in logs and Microsoft Defender for Cloud App alerts, you gain a holistic view of who had directory view access and when; vital for ICO audits or GDPR/DPA reporting.

ABP segmentation, Conditional Access and Retention Labels

You can enforce stricter MFA or device compliance policies when users attempt to contact out-of-scope addresses, and automatically scope retention settings by ABP so that safeguarding incidents in one academy or financial approvals in one division inherit the correct retention label without manual intervention.

PowerShell Implementation Essentials

You don’t need to be a PowerShell maestro to stand up ABPs. Below are the core snippets, each accompanied by a clear explanation of what it achieves:

# 1. Tag mailboxes for Division “Contoso”
Get-Mailbox -Filter "WindowsEmailAddress -like '*@contoso.com'" | Set-Mailbox -CustomAttribute1 "Contoso"

This retrieves every mailbox with a primary SMTP in @contoso.com and sets its CustomAttribute1 to “Contoso”. This tag drives all subsequent filters.

# 2. Create an Address List for Contoso objects
New-AddressList -Name "AL_Contoso" -RecipientFilter "CustomAttribute1 -eq 'Contoso'"

Defines a curated address list named “AL_Contoso” containing only objects tagged “Contoso”. Users see “AL_Contoso” in Outlook’s address-book pane.

# 3. Create a filtered Global Address List
New-GlobalAddressList -Name "GAL_Contoso" -RecipientFilter "CustomAttribute1 -eq 'Contoso'"

Spins up a GAL called “GAL_Contoso” so that name resolution (autocomplete, To/Cc picker) consults only Division A objects.

# 4. Provision the Offline Address Book
New-OfflineAddressBook -Name "OAB_Contoso" -AddressLists "GAL_Contoso","AL_Contoso"

Creates an OAB snapshot combining the filtered GAL and address list; Outlook cached-mode clients download this snapshot on their regular.

# 5. Define the Room List for Contoso
New-AddressList -Name "Rooms_Contoso" -RecipientFilter "(RecipientDisplayType -eq 'ConferenceRoomMailbox') -and (CustomAttribute1 -eq 'Contoso')"

Isolates only room-mailboxes tagged “Contoso,” ensuring users book only local facilities.

# 6. Assemble and assign the ABP
New-AddressBookPolicy -Name "ABP_Contoso" `
  -GlobalAddressList "GAL_Contoso" `
  -AddressLists "AL_Contoso","Rooms_Contoso" `
  -OfflineAddressBook "OAB_Contoso" `
  -RoomList "Rooms_Contoso"
Get-Mailbox -Filter "CustomAttribute1 -eq 'Contoso'" | Set-Mailbox -AddressBookPolicy "ABP_Contoso"

Packages your filtered GAL, address lists, OAB and room list into ABP_Contoso, then assigns it to all Division A mailboxes. From that moment on, those users experience a personalised directory.

# 7. Enable cross-policy routing
Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

Ensures attempts to resolve addresses outside a user’s ABP show as “external,” preventing confusing “internal” display names.

Extending Segmentation into Teams and Beyond

While ABPs natively govern Exchange Online and Outlook, modern organisations demand consistent directory experiences across Microsoft 365. In Microsoft Teams, you can propagate ABP scoping so that chat look ups, @mentions and the people picker respect your segmented GALs:

 

  1. Sign in to the Teams Admin Center with a Teams Service Administrator role.
  2. Navigate to Teams > Teams settings > Search by name.
  3. Turn on “Scope directory search using an Exchange address book policy”.

 

Within a few hours, Teams people search, chat look-ups and meeting invitations will honour your ABPs so Contoso staff no longer see Fabrikam colleagues in their directory. Remember to test across desktop, web and mobile clients, as propagation timing can vary.

 

Beyond Teams, many organisations leverage Planner, SharePoint, OneDrive and Power Platform. While these services don’t natively enforce ABPs, you can approximate segmentation by:

 

  • Dynamic Microsoft Entra ID groups that mirror your ABP filters (e.g. CustomAttribute1 –eq ‘Contoso’) for SharePoint and Planner permissions.
  • Power Automate flows that intercept sharing requests and validate recipient tags before granting access.
  • Custom Graph API filters in provisioning scripts to restrict group creation and membership to the same ABP.

 

For Viva Engage, employ security groups and administrative unit scoped policies in Microsoft Entra ID so that communities auto-populate only with correctly tagged users. A brief proof-of-concept helps uncover any integration gaps and informs / validates your rollout timeline.

Governance: Keeping Your Directory Healthy

A reliable ABP deployment is not a “set and forget” exercise – it demands a structured governance model encompassing onboarding, offboarding, drift detection and change control.

Automated User Lifecycle Management

Integrate your HR or identity-management system to map each new employee’s “DivisionCode” into a Microsoft Entra ID extension attribute (synchronised as CustomAttribute1 in Exchange Online). Embed ABP assignment into your provisioning scripts so that mailboxes arrive correctly scoped on day one.

 

On the flip side, your leaver process must clear the attribute and ABP, then disable the mailbox:

Set-Mailbox -Identity $UPN '
-AddressBookPolicy $null

Set-Mailbox -Identity $UPN '
-CustomAttribute1 $null

Disable-Mailbox -Identity $UPN

This prevents stale objects from cluttering your OAB and polluting directory views.

Drift Detection & Continuous Auditing

Schedule a daily or weekly automated scan using Exchange Online PowerShell or Microsoft Graph, to flag mailboxes whose CustomAttribute1 mismatches their SMTP domain or ABP assignment. Generate a Policy Drift Report (CSV or HTML) and surface it in your IT dashboard (e.g. Power BI) so operations staff can remediate before users report issues.

Change-Control & Documentation

Store all scripts, runbooks and policy definitions in a version-controlled repository (Azure Repos or GitHub Enterprise). Maintain a living Governance Guide that defines:

 

  • Naming conventions (e.g. ABP_<Division>, GAL_<Division>)
  • Approval workflows for policy creation or modification, including sign-off from compliance and departmental heads
  • Emergency rollback procedures in case of misconfigurations
Delegated Administration with Microsoft Entra ID Administrative Units

Leverage Administrative Units in Microsoft Entra ID to grant scoped management permissions. Assign local IT or academy leads the minimal roles needed to update CustomAttribute1 and ABP assignments for their own school or organisation – minimising the risk of accidental tenant-wide changes. Regularly review administrative unit assignments (at least quarterly) to ensure only current, authorised personnel retain access.

Conclusion & Call to Action

Address Book Policies transform your Microsoft 365 tenant’s Global Address List from a sprawling, chaotic directory into a finely segmented, domain or academy centric experience. For education trusts, this reinforces safeguarding and data-protection by preventing cross-academy data leakage. For multi-domain businesses, it secures sensitive M&A information and financial records within proper silos.

By combining clear PowerShell implementation patterns, expanded security and compliance benefits, Teams-wide scoping and a robust governance framework complete with Microsoft Entra ID Administrative Units, you will deliver a seamless, secure directory experience.

Leave a Reply

Mark Tonks
aka. SharePointMark

Microsoft Solution Architect, Senior Project Manager, and Mental Health Advocate

Mark Tonks
Business Links