Hide Office 365 Group Members and Groups from GAL to Protect Sensitive Data.

Office 365 has been rolling out many beneficial features like scheduling Teams chat messages, a new search feature, shared channels, and more. While in the buzz of welcoming the new feature, we also have to ensure that existing ones are utilized efficiently.

As part of these, I was asked about what is this “hidden membership in MS Groups?” What actually does this mean? Though this has been in use for years and has many questions solved, I could no longer find clear, detailed pros and cons regarding this hidden membership in modern groups! Hence, this blog is here to solve all your why’s and what’s on hidden memberships in Office 365.

When a Microsoft group is created, its details and members’ information are automatically added to the Global Address List (GAL). Consequently, everyone in the organization can search for and view the group and its members irrespective of their group type (Public or Private) in the GAL.

Though this may seem less severe, it’s not! It is sometimes inappropriate to reveal details about group members. And, here comes to the rescue, the “Hidden Memberships.”

Hidden membership is a privacy type for Office 365 Groups and distribution lists. Its main purpose is to hide the group members from non-members of the groups.

Note: While creating a group with the “Hidden Membership” type, you need to set the Access Type to “Private.” Because only private groups can be marked with hidden memberships.

Unfortunately, Office 365 has no way to hide the group members using the admin center. Although it hasn’t been exposed to the user interface yet, you can hide the group members using PowerShell.

First, make sure to connect to Exchange-Online PowerShell and enable the hidden group membership using the –HiddenGroupMembershipEnabled parameter in the New-UnifiedGroup cmdlet.

New-UnifiedGroup -DisplayName "Example" -Members "[email protected]","[email protected]","[email protected]" -AccessType "Private" -HiddenGroupMembershipEnabled

Once you set it up, the group’s privacy type will appear as “Hidden Membership” in the Office 365 admin center. Furthermore, if you create a group with this type, Teams won’t be added to it; you have to manually “Add Teams“.

Also, the New-DistributionGroup cmdlet supports –HiddenGroupMembershipEnabled parameter, so you can also hide distribution list members. To hide mail-enabled security groups, you can follow the steps and hide groups from GAL.

Additionally, you can create an MS Team by default with the group members hidden. This will automatically create a group associated with it.

New-Team -DisplayName "Sample Hidden Team" -Visibility HiddenMembership

Usually, an organization has various groups under Office 365 environment. For security purposes, admins should hide users and groups in GAL.

You can also hide any user or group from the organization address book using the Exchange admin center. Navigate to EAC and follow the below steps to hide users and groups from GAL.

You can also perform this operation using PowerShell. The following cmdlet can be used to hide the groups from the global address list by default:

Set-UnifiedGroup -Identity "collaboration" -HiddenFromAddressListsEnabled $true 

These groups will have the following effects when you hide groups from GAL:

1. Users can’t search for this group on the Outlook desktop and Outlook web.
2. Also, users cannot discover this group using the “Discover Groups” option.

Also, you can hide users from the GAL using the Set-Mailbox cmdlet.

Set-Mailbox -Identity Ricky -HiddenFromAddressListsEnabled $true 

By default, guests (external users) cannot see the membership of any groups they are a member of in the Outlook and Outlook Web. However, your organization users can discover members of private groups in the Global Address List.

For example: For example: If you’re working on a confidential project and don’t want everyone in the organization to know who belongs to a specific group, then you can create a group by hiding the specific members with the -HiddenMembershipEnabled parameter.

Thus, it aids in preventing the disclosure of sensitive information.

The downside with hidden membership is,

1. You can create a group with the “Hidden Membership” type only at the time of creation. You can’t change the privacy setting of existing groups into “Hidden Membership”.
2. Also, if you had already created a group with the type set to hidden membership, you cannot revert it to other types.

Summing up, Hidden memberships are like a one-way path. You can only get in there, and there is no way to step back out of it! I hope this has clarified what hidden memberships in Office 365 are and their flaws. Feel free to reach out in the comments section if you have any further queries.