I am a little confused by the offline address book configuration with 2013 multi-tenant vs the 2010 multi-tenant. With 2010 we were removing "Authenticated Users" from having access and adding a security group for the company.
Is this still the same case with 2013? Remove Authenticated Users from having read access and then add a security group for the customer that needs access to that particular offline address book?