Filtering in Azure AD Sync (Part 3)
In this article we will work on setting up different type of filtering in Azure AD Sync to synchronize only the required users with office 365. Part 1 and Part 2 of this article series revolves around the prerequisites, installation and configure of Azure AD Sync tool. We’re already done with Azure AD Sync tool prerequisites and installation and now it’s time to setup filtering in Azure AD Sync tool.
Let’s get started with Part 3 of this series.
Azure AD Sync Filtering Types
Azure AD Sync tool support three types of filtering and you can choose the type of filtering based on your requirements.
- OU Based Filtering
- Domain Based Filtering
- Attribute Based Filtering
You can enable filtering in Azure AD Sync at any time. If you have already run the default configurations of directory synchronization and then configured the filtering, the objects that are filtered out are no longer synchronized to Azure AD. As a result, any objects in Azure AD that were previously synchronized but were then filtered are deleted in Azure AD. If objects were inadvertently deleted because of a filtering error, you can re-create the objects in Azure AD by removing your filtering configurations, and then synchronize your directories again.
OU Based Filtering
With organizational based filtering, you can explicitly specify which OU’s can synchronize with office 365. In our case I’ve only synchronized 2 OUs with office 365 “Users” & “Admin Users”. To setup OU filtering follow the steps .
- Log in to the Sync server using the local active directory service account for Azure AD Sync. In our case we’re using AAD@mstechtalk.com as service account and I’ve logged in to the server using AAD@mstechtalk.com.
- Browse to “C:Program FilesMicrosoft Azure AD SyncUIShell” and run “MIISClient”
- After running the client, Click on “Connectors” to modify the connectors for filtering
- Select on prem AD Connector and go to the properties –> Configure Directory Partition –> Containers. On prem connector type will always be “Active Directory Domain Services”
- Unchecked the OU’s which you don’t want to synchronize. By default all OU’s will be selected.
- Click Ok and close the MIISClient. OU filtering has been set.
Domain Based Filtering
At times, you need to work on multiple domains for large organization or with multiple business units. Scanerio’s comes when one of your business units move to office 365 and rest of the business units remains on their existing systems. Requirments like synchronizing users with only specific UPN/Domain can be achieved using Domain Based filtering. Using domain based filtering, you can specify which users can synchronize with office 365 based on their domain name. Steps to setup domain based filtering are as below.
- Run MIISClient –> Connectors –> On Prem Connector –> Properties
- Go to Configure Directory Partitions –> Select Directory Partition and select the domains which you want to synchronize with office 365. In our case, We’ve 2 domains installed in our lab (mstechtalk.com and contoso.mstechtalk.com) and we’re only synchronizing mstechtalk.com users with office 365. All other partitions and domains are unchecked.
We can apply all 3 type of filtering to synchronize the required users. Sometimes domain filtering does not clear up your Run Profile for other domains and you need to manually remove your run profile to complete the domain filtering.
Attribute Based Filtering
Attribute based filtering is used to synchronize on prem users with office 365 based on attribute field values.
There are several ways to configure filtering based on attributes. Configuration on inbound from AD is recommended since these configuration settings will be kept even after an upgrade to a newer version. Configuration on outbound to AAD is supported, but these settings will not be kept after an upgrade to a newer version and should only be used when it is required to look at the combined object in the metaverse to determine filtering.
- To setup inbound filtering, go to “Synchronization Rules Editor” on sync server. You can find the “Synchronization Rules Editor” in start menu on Windows Server 2012 R2.
- Make sure that Inbound Rule type is selected on the left side and click on Add New Rule
- Select Connected Systems (Source Forest), CS Object Type as user because we’re doing filtering based on users.
Name field represents the name of the rule, Connected System is the source such as the Active Directory forest. The Connected System Object Type is the type of AD object like user, groups, contacts etc. Link Type is the action which you want your rule to perform. It has 3 values or actions like Join, StickyJoin or Provisioned. Join action will merge or update the object. Provisioned action will create the object. Link Type option will be superseded by Join rule configured in a later step.
- Click Next. As we’re synchronizing those users with office 365 who has company field value of either Ms Tech Talk or Null. We do not need to configure anything in Scoping Filter and Join Rules. (This needs to be configured in more details based on your filtering).
- On the transformation screen, Add the value as “IIF(IsNullOrEmpty([company]),NULL,IIF([company]<>”MS Tech Talk”,”DoNotSync”,NULL))” and click on ADD button.
It is recommended to use Inbound Filtering. Outbound filtering is not recommended. More information on attribute based filtering can be found on Technet.
- To perform outboud filtering, run “Synchronization Rules Editor“
- Make Sure Rule type “Outbound” is selected.
- Click on Add Rule on the right hand side and provide the parameters for Connected Systems, CS Object Type and define the rules based on your rule.
Outbound filtering is recommended and used in Resource Forest / Account Forest topology. It is recommended to perform Full Sync after configuring filtering
If you want to read the other Parts in this series, then please go to: