Latest version of AADC in use with group writeback enabled. After AADC creates the O365 Groups in AD, I run update-recipient on the group to give it mail attributes so it can be used by on-prem mail users.
I've created Office 365 Groups and hidden them from the GAL using set-unifiedgroup "group@domain.com" -HiddenFromAddressListsEnabled $True and this works to hide the O365 Group from cloud mailboxes in O365
The problem is that on-prem mailboxes are still able to see the Office 365 Group in the GAL. If I modify the group in AD and set msExchHidefromAddressLists to TRUE than on-prem users no longer see the O365 Group in the GAL, BUT, on the next AADC Sync, the msExchHidefromAddressLists attribute is overwritten and set back to <not set>
In reviewing sync rules, the Inbound rule named "Out to AAD - Group SOAinAAD" does NOT include msExchHidefromAddressLists int he transformations, so this attribute is never getting into metaverse for any O365 Group objects. To try and address this issue I modified a custom version of this rule and added a transformationf or msExchHidefromAddressLists and did a full sync but this attribute never comes intot he Metaverse on O365 Group objects. I've tried a number of different ways to make this work but none do.
This seems like some kind of bug as there is an Outbound rule named "Out to AD - Group SOAinAAD" includes the msExchHidefromAddressLists attribute in it. This implies MSFT intends for this setting to push from AAD to AD, but since the Inbound rule doesn't have this attribute (nor can I get it to work by manually adding it), the "hide in GAL" setting of an O365 Group set in the cloud can never come down to AD.
Is there some way to resolve this so the msExchnHideFromAddressLists attribute can be sync'd in from Azure AD as part of group writeback?