Hide Members in Microsoft 365 Groups & Groups from GAL

Office 365 has been rolling out many beneficial features like scheduling Teams chat messages, a new search feature, shared channels, and more. While in the buzz of welcoming the new feature, we also have to ensure that existing ones are utilized efficiently.

As part of these, I was asked about what is this “hidden membership in MS Groups?” What actually does this mean? Though this has been in use for years and has many questions solved, I could no longer find clear, detailed pros and cons regarding this hidden membership in modern groups! Hence, this blog is here to solve all your why’s and what’s on hidden memberships in Office 365.

When a Microsoft group is created, its details and members’ information are automatically added to the Global Address List (GAL). Consequently, everyone in the organization can search for and view the group and its members irrespective of their group type (Public or Private) in the GAL.

Though this may seem less severe, it’s not! It is sometimes inappropriate to reveal details about group members. And, here comes to the rescue, the “Hidden Memberships.”

Hidden membership is a privacy type for Office 365 Groups and distribution lists. Its main purpose is to hide the group members from non-members of the groups.

Note: While creating a group with the “Hidden Membership” type, you need to set the Access Type to “Private.” Because only private groups can be marked with hidden memberships.

Unfortunately, Microsoft 365 has no way to hide the group members using the admin center. Although it hasn’t been exposed to the user interface yet, you can hide the group members using PowerShell.

First, make sure to connect to Exchange-Online PowerShell and enable the hidden group membership using the –HiddenGroupMembershipEnabled parameter in the New-UnifiedGroup cmdlet.

New-UnifiedGroup -DisplayName "Example" -Members "[email protected]","[email protected]","[email protected]" -AccessType "Private" -HiddenGroupMembershipEnabled

Once you set it up, the group’s privacy type will appear as “Hidden Membership” in the Office 365 admin center. Furthermore, if you create a group with this type, Teams won’t be added to it; you have to manually “Add Teams“. To check Microsoft 365 groups with hidden membership enabled, use the below cmdlet.

Get-UnifiedGroup | Where-Object { $_.HiddenGroupMembershipEnabled -eq $true } | Format-Table DisplayName, HiddenGroupMembershipEnabled

The New-DistributionGroup cmdlet supports –HiddenGroupMembershipEnabled parameter, so you can also hide distribution list members.

Key differences between Microsoft 365 groups & distribution lists: Unlike, Microsoft 365 groups, which don’t support setting hidden membership for previously created groups, admins can hide the membership of existing distribution lists too! This provides greater flexibility in managing sensitive group details based on the situation.

To hide membership of a distribution group that existed previously, you can use the below cmdlet. Also, you can use this cmdlet to change the status of an existing hidden membership too! While you cannot revert hidden memberships in Microsoft 365 groups, you’ve got the option to revert ‘Hidden Membership’ enabled distribution lists and make them visible anytime.

Set-DistributionGroup -Identity [email protected] -HiddenGroupMembershipEnabled:$False

Now, to create a distribution group with hidden membership, use the below cmdlet.

New-DistributionGroup -Alias "ProjectConfidential" -Name "Confidential Documents" -DisplayName "Confidential Documents" -PrimarySmtpAddress [email protected] -HiddenGroupMembershipEnabled:$True

Likewise, to find the distributions list with hidden membership, we can just tweak the existing cmdlet with the ‘Get-DistributionGroup’ cmdlet.

Get-DistributionGroup | Where-Object { $_.HiddenGroupMembershipEnabled -eq $true } | Format-Table DisplayName, HiddenGroupMembershipEnabled

Tip: To hide mail-enabled security groups, you can follow the steps and hide groups from GAL.

While hiding membership for existing distribution lists offers flexibility, wouldn’t it be ideal to create a Microsoft Team with hidden membership by default? The good news is, you can achieve this using the New-Team cmdlet with the -HiddenMembership parameter. When, you run the below cmdlet, it creates an MS Team by default with the group members hidden. This will automatically create a group associated with it.

New-Team -DisplayName "Sample Hidden Team" -Visibility HiddenMembership

This way, admins can establish secure Microsoft Teams environments where member details are kept confidential. This caters to scenarios where team membership might be sensitive or require controlled access.

Usually, an organization has various groups under Office 365 environment. For security purposes, admins should hide users and groups in GAL.

You can also hide any user or group from the organization address book using the Exchange admin center. Navigate to EAC and follow the below steps to hide users and groups from GAL.

You can also perform this operation using PowerShell. The following cmdlet can be used to hide the groups from the global address list by default:

Set-UnifiedGroup -Identity "collaboration" -HiddenFromAddressListsEnabled $true 

These groups will have the following effects when you hide groups from GAL:

1. Users can’t search for this group on the Outlook desktop and Outlook web.
2. Also, users cannot discover this group using the “Discover Groups” option.

Also, you can hide users from the GAL using the Set-Mailbox cmdlet.

Set-Mailbox -Identity Ricky -HiddenFromAddressListsEnabled $true 

By default, guests (external users) cannot see the membership of any groups they are a member of in the Outlook and Outlook Web. However, your organization users can discover members of private groups in the Global Address List.

For example: For example: If you’re working on a confidential project and don’t want everyone in the organization to know who belongs to a specific group, then you can create a group by hiding the specific members with the -HiddenMembershipEnabled parameter.

Thus, it aids in preventing the disclosure of sensitive information.

The downside with hidden membership is,

1. You can create a Microsoft 365 group with the “Hidden Membership” type only at the time of creation. You can’t change the privacy setting of existing Microsoft 365 groups into “Hidden Membership”.
2. Also, if you have already created a Microsoft 365 group with the type set to hidden membership, you cannot revert it to other types.

Summing up, hidden memberships in Microsoft 365 groups alone are like a one-way path. You can only get in there, and there is no way to step back out of it! I hope this has clarified what hidden memberships in Office 365 are and their flaws. Feel free to reach out in the comments section if you have any further queries.