As DirSync evolved to AAD Sync, and AAD Sync evolved to AAD Connect, there have been significant changes to the way we accomplish tasks with these tools.
With the recent release of Azure Active Directory Connect v 1.1, Microsoft has made several updates to how various aspects of the process of syncing your on-premises Active Directory accounts into Azure Active Directory. There have been some pretty significant changes in a couple of areas, with one of those being sync filtering. In this series of blogs posts, I’m going to walk you through the options and processes for filtering your sync jobs.
Why do I need to filter my sync jobs?
In its default configuration, AAD Connect will sync all accounts in your on-premises Active Directory forest into Azure Active Directory. For many Office 365 or Azure customers, this is a perfectly acceptable configuration. For some, however, there may be reasons why they would not want to sync all accounts.
Accounts may not sync because of conflicting attributes
Not wanting to sync service accounts for security reasons
Too many accounts for the 50,000 object limit
I’ve also seen customers who have other reasons for not wanting specific accounts to be synced into the cloud. Whatever your organizations reasons are, you have 3 different options for how you choose which accounts are synced or not.
What can I filter on?
With AAD Connect 1.1 you have three main options for what you can filter on.
Organizational Units (OU)
Active Directory Attributes
With these three options, you should be able to meet any sort of filtering scenario you can come up with. I say “should” because I am sure someone will come up with a filtering requirement that would call for some other filtering option. If that is you, leave a comment below and I’ll see what I can do to come up with a solution.
The three filtering options listed above are listed in order of easiest to implement to hardest. I would strongly recommend that you do not use attribute filtering if you can use OU filtering. You can setup filters on several (or all) of these choices at the same time, but again I think that is going to cause more problems than it solves in most cases so use that option with caution.
You can turn on or off filtering at any time, but you should be aware that when an object is filtered out Azure AD will treat it as if it was deleted. This, of course, can cause some serious issues with your Office 365 or Azure tenants if you are not careful.
How do I setup Domain Filtering?
For this article I’m going to assume you have installed AAD Connect 1.1 with the default settings. In a future article I may circle back and talk about the setting you can configure during installation (maybe a whole article on how to deploy AAD Connect with PowerShell commands).
After your installation is complete, go to the Synchronization Service Manager.
Click Connectors in the Tools menu.
Select the connector that has Active Directory Domain Services as a Type.
Click Properties on the action menu
Select Configure Directory Partitions and deselect the domains you don’t want to sync (the screenshot below only shows on domain)
Select OK to close the Properties dialog
Once you have those steps completed, you’re only half way there. You still need to update the run profiles. The steps below must be done for each run profile (Full Import, Full Synchronization, Delta Import, Delta Synchronization, Export)
Again, select the connector that has Active Directory Domain Services listed as the Type
Select Configure Run Profiles from the action menu on the right
Select the run profile you want to configure
Expand the Step if necessary
For any Partition attribute where the value is a GUID, highlight and select Delete Step (in the screenshot below I only have one domain and it is shown with the domain name, not a GUID)
Click OK to close the Configure Run Profiles dialog
OK, I’ve got domain filtering setup. What’s next?
There are two more types of filtering you can setup; OU filtering and attribute filtering. We’ll cover these two types of filtering in the next blog post.
If you have any questions, please leave a comment and I’ll try to work the answers into the next blog post.