What is GAL Segmentation

GAL segmentation allows one to create an appearance of hosting multiple

independent email organizations within the same Office 365 tenant. Administrators can
create multiple address books and global address lists and filter them to only the
specific contacts/mailboxes/groups. This makes it possible to lock down any given user
to viewing contact details only of the employees they are supposed to see, creating an
impression that the user is in a different Exchange / Office 365 organization.
Configure Prerequisites

Before we can jump into setting up GAL objects and policies, we need to grant
ourselves permissions to manage address lists in Office 365 (this permission is not
enabled by default). We also need to enable Address Book Policy Routing in Exchange
Online.
Also, and this is important, check to make sure that you have either an Enterprise (E)
or an Educational (A) Office 365 subscription level. Address book policy routing is
currently not supported on lower subscription levels and instructions in this article will
not work.
Step 1: Grant Permissions to Manage Address Lists

1.

Log into portal.microsoftonline.com using a global administrator Office 365

account

2.

In the top menu bar, click on Admin and then Exchange

3.

You are now in Exchange Admin Center, EAC

4.

On the left, click Permissions

5.

Click on the plus sign to add a new Role Group

A.

Name: Address List Management

B.

Roles: add Address List role

C.

Members: add your global admin account as a member

D.

Save the role group

Note: the steps above grant you access to New-GlobalAddressList and NewAddressList commands that will be used later in this article. If you cannot see Address
List role, check your Office 365 subscription level and make sure that it is Enterprise or
Education level. Address List role does exist in Exchange Online but by default it is not
assigned to grant GAL/address book management permissions to anyone.
Step 2: Connect to Exchange Online PowerShell and Enable Address Book Policy
Routing

This step could be done on one of your ADFS farm servers that has Windows Azure
Active Directory PowerShell (WAAD Posh) installed. Launch WAAD as Administrator
(elevate if you have UAC enabled).

Set-ExecutionPolicy RemoteSigned

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

https://ps.outlook.com/powershell/ -Credential (Get-Credential) -Authentication basic -AllowRedirection

Import-PSSession $session

This connects you to Exchange Online powershell session.

To view the current ABP routing setting:

Get-TransportConfig | fl AddressBookPolicyRoutingEnabled

At this point lets go ahead and enable ABP routing in Exchange Online:

Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

Re-run Get-TransportConfig commandlet to confirm that address book policy routing

now shows as enabled.
Note: if you get an error stating that Enable-OrganizationCustomization commandlet
has not been run, execute it (without any parameters) and give it half an hour before
reconnecting to Exchange Online and trying ABP routing operation again.
Configure GAL Segmentation Based on Group Membership

Group membership-based address lists and global address lists rely on MemberOf
attribute filtering. To perform the next series of steps, you need to be connected to
Exchange Online AND Office 365 tenant for some of the commands, so, continuing
from Step 2 above where we connected to Exchange Online, we will go ahead and link
up to MSOL service:

Connect-MsolService

Next we need to add the users we want to be separated from other ones to a
distribution group, and get the distinguished name of that distribution group. On this
example, we created a group named Test.Group:

$dn = (Get-DistributionGroup Test.Group).distinguishedName

If you care to see how this DN looks on the Microsoft side, type $dn and hit enter. Next,
create a new address list for resource mailboxes:

New-AddressList -Name "Test.Resources" -RecipientFilter "RecipientDisplayType -eq

'ConferenceRoomMailbox' -and memberOfGroup -eq '$dn'"

Pay special attention to apostrophes and double quotes. Next we are creating a new
address list of user mailboxes:

New-AddressList -Name "Test.Mailboxes" -RecipientFilter "RecipientType -eq 'UserMailbox' -and

memberOfGroup -eq '$dn'" -DisplayName "Test Mailboxes List"

Lets create a new Global Address List and Offline Address book now:

New-GlobalAddressList -Name "Test.Gal" -RecipientFilter "MemberOfGroup -eq '$dn'"

New-OfflineAddressBook -Name "Test.Oab" -AddressLists "Test.Gal"

Finally, we are going to tie these lists together into a single address book policy object:

New-AddressBookPolicy -Name "Test.Abp" -AddressLists "Test.Mailboxes" -OfflineAddressBook

"\Test.Oab" -GlobalAddressList "\Test.Gal" -RoomList "\Test.Resources"

All address book objects are now in place and the last remaining step is to actually
assign an address book policy to our user objects, which is what ultimately filters or
segments their GAL views. There is a variety of ways to perform this assignment. The
one provided here is by no means the only one or the most elegant one, but it works.
First, get the GUID of the Office 365 group that was used for address book filtering:

Get-MsolGroup

GUIDs will be displayed in the left column. Find the one opposite Test.Group that was
used in the example above.
You have to have Exchange Online and Office 365 connections in the same WAAD
PowerShell session for the next step. Substitute GUID with the actual GUID, you dont
need to use single or double quotes around the GUID for this to work.

Get-Mailbox -ResultSize unlimited | Where-Object {$_.ExternalDirectoryObjectId -in (GetMsolGroupMember -GroupObjectId GUID).objectid} | Set-Mailbox -AddressBookPolicy "Test.Abp"

This command grabs object IDs of all members of our test group, gets their associated
mailboxes, and pipes them into commandlet that assigns the new address book policy.
Its not the prettiest powershell command but it does the trick, and can be scheduled to
run periodically so that newly created users who have membership in the Test.Group
get the right GAL automatically.
To confirm that your assignment command worked successfully:

Get-Mailbox | fl displayName, AddressBookPolicy