In this post I want to explain how to configure your Exchange 2016 address book environment for multiple tenants. The goal is to host multiple groups of people (let’s call them customer groups) and give them their own address book environment. It is important that these customer groups don’t see each other because this might be sensitive information.

Since Exchange 2010 SP2 we can use address book policies to configure GAL segregation and that’s what where going to do here. When I’m writing this there is no specific documentation yet for Exchange 2016 but we did ask the Microsoft Exchange blog and got a reply: I have verified that the instructions from 2013 do in fact apply to 2016. We are working to update the documentation accordingly, I expect that to be done sometime soon in CY2016.

That’s nice to hear. The first thing we have to do is enable the Address Book Policy Routing agent this is a requirement to work with address book policies (ABP’s). The installation is really straightforward, run the following commands on the exchange servers:

Install-TransportAgent -Name “ABP Routing Agent” -TransportAgentFactory “Microsoft.Exchange.Transport.Agent.AddressBookPolicyRoutingAgent.AddressBookPolicyRoutingAgentFactory” -AssemblyPath $env:ExchangeInstallPath\TransportRoles\agents\AddressBookPolicyRoutingAgent\Microsoft.Exchange.Transport.Agent.AddressBookPolicyRoutingAgent.dll

Enable-TransportAgent “ABP Routing Agent”

Restart-Service MSExchangeTransport

Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

The last command is only needed once, after this we need to wait up to 30 min for the agent to evaluate the organization. For more information:

Then the address list segregation for the Multi-Tenancy itself. To isolate a customer group in a ABP we will use the “Department” variable under the organization details of the user. There are more variables that you can use but the Department can be changed for several users at the same time in the Active Directory Users and Computers (ADUC) GUI. In this example we will have an OU with a customer group and we want to bind them to a ABP with the “Department” variable of 123456. We make two test users and select them both in the ADUC, select properties and then set the department variable:

blog image

The next thing we do is create mailboxes for both users. Now we can construct our ABP. We have to do this in powershell so start the Exchange Management shell on one of the Exchange servers. Each ABP needs an AddressLists, OfflineAddressBook, GlobalAddressList and a RoomList. We will start with the Roomlist and create an empty one that we can reuse:

New-AddressList -Name AL_BlankRoom -RecipientFilter {(Alias -ne $null) -and ((RecipientDisplayType -eq ‘ConferenceRoomMailbox’) -or (RecipientDisplayType -eq ‘SyncedConferenceRoomMailbox’))}

Now the AddresList, we will name it 123456_AL:
New-AddressList -Name “123456_AL” -RecipientFilter {((RecipientType -eq ‘UserMailbox’) -and (Department -eq “123456”))}

Now the GlobalAddressList named 123456_GAL:
New-GlobalAddressList -Name “123456_GAL” -RecipientFilter {((RecipientType -eq ‘UserMailbox’) -and (Department -eq “123456”))}

And the OfflineAddressBook, 123456_OAB:
New-OfflineAddressBook -Name “123456_OAB” -AddressLists “123456_GAL”

Now we all the requirements to set the APB, that we will call…. 123456_ABP:
New-AddressBookPolicy -Name “123456_ABP” -AddressLists “123456_AL” -OfflineAddressBook “\123456_OAB” -GlobalAddressList “\123456_GAL” -RoomList “\AL_BlankRoom”

Now that the APB is set up we want to apply it to our two test users:
Get-User -Filter “Department -eq ‘123456’” | Set-Mailbox -AddressBookPolicy “123456_ABP”

And we log into the webmail to test the result:

blog image 2

Now we have established that the Exchange 2013 way using APBs is indeed usable in Exchange 2016. For further reading look to:

Categories: Exchange

Comments are closed.