tl;dr
Really? I need to shorten an already short post? Well, you’re welcome Generation-Y.
- New Azure AD Connect user filter
- Inbound rule
- Leverages ADDS attribute: adminDescription
- Add in a value with a prefix of User_ or Group_ to filter out that object
***
Azure AD Connect, like previous version of the directory synchronisation application, is able filter users, groups or contacts that are synchronised to Azure AD / Office 365 through a number of methods. The Microsoft Azure documentation page – –
– – outlines this and explains the various methods available to filter out objects. The various filter options include:
- domain based filtering
- organisational unit filtering
- filtering by group membership
- filtering by a certain attribute
In numerous customer sites that I’ve worked with, or even deployed AADConnect, a handy filter was also to create a manual filter based on a CustomAttribute or CustomExtensionAttribute. This process usually went along the lines of: if the attribute contained the word or phrase like “DoNotSync”, it would filter this user out. This is most certainly handy when you have multiple forests synced with Azure AD and want to filter out a user that has a secondary account in your second forest. Often required when group based or organisational unit filtering is hard to maintain due to large data object counts.
Change in Azure AD Connect
A few months back though, an update to Azure AD Connect added this user based filter functionality “out of the box”. I came about this when working on a clients site who was using the attribute “adminDescription” for a custom purpose. This customer upgraded Azure AD Connect and found a fault with their custom rule. So, what happened?
AADConnect now has an INBOUND rule that when the attribute “adminDescription” in Active Directory has a value set with a prefix of User_ or Group_, it will filter out and not sync that into the metaverse.
An example to use would be: “User_DoNotSync” or “Group_DoNotSync”.
Sidebar – theres two types of AADConnect rules: Inbound and Outbound. Inbound rules sync data from Active Directory to the metaverse and Outbound rules sync data from the metaverse to Azure AD.
Final words
It’s not every project that I work with the same technology. Part of the charm and positive of working at Kloud is that there’s opportunity to work across multiple public clouds like Azure, Office 365 or AWS. I say it’s been a good day if you you learn something new that day. I firmly believe in always learning or trying to learn. Always! Never stop! So, coming across this was a great find and a trivial piece of luck having come across the client and project I happen to be working on. Timing is everything.
I would recommend putting into place steps to move away, as much as possible, from custom filters, used for user or group filtering, and leverage the now built in filter via attribute adminDescription.
The more standard the deployment, the easier it is to manage, monitor, upgrade and/or maintain moving forward.
Best
Nice post! I came across this when having to sync a large AD to a tenant.
Do you know if there is any way to set an ADConnect to sync users even when “User_DoNotSync” is present?
Jakob, as long as adminDescription does not have anything set in that attribute, then the “User_ ….” exclude process does not run. Either that, or review the sync rules editor and remove that altogether if you don’t want it to filter out objects.
How to edit adminDescription for particular service account? For Example: my service account name is SQL_Service, then how can I filter this account not to sync with O365?
You do that in Active Directory. Find the attribute “adminDescription” associated with your SQL_Service user, then add in a value like “User_DoNotSync”. Then it will be filtered out.
Excellent! Thanks!
you mean, just open this account properties using Active Directory Users and Computer and add the User_DoNotSync value in description or modify this using ADSI Edit? Please clarify.
Yes, simply add “User_DoNotSync” to the attribute “adminDescription”.