Filtering Users and Groups using Azure AD Connect

Blog Azure

Filtering Users and Groups using Azure AD Connect


Microsoft’s Azure AD Connect allows you to sync your on-prem AD to your Azure AD / Office 365.  If you leave all the settings as default, then AD Connect will happily sync all your AD objects. This is fine for some, however many large organisations do not want to sync their entire environment. There are options to filter the objects by selecting specific OU’s, but sometimes this isn’t granular enough. Another option is to select a group and filter based on its memberships – but this is considered “pilot” mode and should not be used in a production environment. Personally, this is my preferred method, it’s easy to setup and you can add or remove users and groups to this “sync” group whenever you wish – but who am I to argue with Microsoft.

So if you can’t filter based on OU, and you don’t want to go against Microsoft’s “best practice”, what other options do you have?

Well, you need to look use the “Synchronization Rules Editor”.

The rules editor allows you to create filter rules, to either filter in or filter out the AD objects you want to sync.

In the below example I will show you how to filter out Users and Groups from syncing.

The rules editor uses the AD Attributes of the object to determine whether or not to sync them. By attributes, I mean these…

Azure AD Connect

If you have Exchange in your environment then you will have the extensionAttribute 1 – 15 in your schema. I tend to use these attributes, but you may decide to use any that suits.

OK, so what I want to achieve is to only sync the users or groups that have the extensionAttribute1 set to “Sync to Azure”. Any object without this value will not get synced.

First, lets modify the attribute for 1 user and 1 group.

Open AD Users and Computers and click View, and make sure the Advanced Features option is ticked. Without this option you won’t see the attributes tab.

Azure AD Connect 2

Find a test user and open the properties, then click on the Attribute Editor tab.

Scroll through and find the extensionAttribute1 and click Edit. Set the value to Sync to Azure.

Azure AD Connect 3

Repeat the process for a Group.

OK, now that we’ve set the attribute on both a user and group object, launch the Synchronization Rules Editor.

Azure AD Connect 4

We will now create two rules, one to filter users, and another to filter groups.

Ensure the Direction is set to Inbound and click the Add new rule button.

Give the rule a descriptive name and provide a description. I suggest something useful so when you come back in 3+ months it will make sense to you.

  1. Set the Connected System to your domain.
  2. Set the Connected System Object Type to User
  3. Set the Metaverse Object Type to Person
  4. Set the Link Type to Join
  5. Set the Precedence to 50 (or any value lower than the lowest value – if you haven’t created any other rules, then 50 will be fine).
  6. Click Next

Azure AD Connect 5

Click the Add Group button, and then the Add Clause button.

Azure AD Connect 6

Set the Attribute to the attribute you selected as the “filtering attribute”. In our example, it’s extensionAttribute1.

Set the Operator to NotEqual

And enter the value to look for, which in our example is “Sync to Azure”.

Click Next.

Azure AD Connect 7

Click Next on the Join Rules window, as it’s not used with this rule.

Azure AD Connect 8

In the Transformations section, click Add transformation

  1. Set the FlowType to Constant
  2. Set the Target Attribute to cloudFiltered
  3. In the Source field, enter true
  4. Leave all other settings and click Add

Azure AD Connect 9

The new rule should now appear at the top of the list.

Azure AD Connect 10

OK, so that’s the Users rule done. Let’s move onto the Groups rule.

The groups rule is a little tricker, so instead of trying to create it from scratch, we’ll use the existing one.

Select the In from AD – Group Join rule and click Edit.

Azure AD Connect 11

Click Yes to the message – which will disable the existing rule and create a copy for us to work with.

Azure AD Connect 12

Give the rule a name and description.

Set the Precedence to 55.

Click Next

Azure AD Connect 13

In the Scoping Filter section, select both of the existing clauses and click Remove Clause.

Azure AD Connect 14

Once all the Clauses have been removed, click Add Clause.

Azure AD Connect 15

Set the Attribute to the attribute you selected as the “filtering attribute”. In our example, it’s extensionAttribute1.

Set the Operator to Equal (with the user rule we set it to NotEqual, but here we use the Equal operator).

And enter the value “Sync to Azure”, or whatever value you are using.

Click Next.

In the Join rules, ensure the Source Attribute is set to objectGUID and the Target Attribute is sourceAnchorBinary.

Click Next.

Azure AD Connect 16

Leave the settings as default in the Transformations window and click Save.

Azure AD Connect 17

If you receive an expression warning, click Yes to continue saving the rule.

You should now have two rules in your rule set.

Azure AD Connect 18

OK, now that we’ve made our rules, we need to kick off a full sync.

Open up a PowerShell console, and enter: Start-ADSyncSyncCycle -PolicyType Initial

Once the sync finishes, log into the Azure or 365 portal and have a look under the Users and Groups sections.

As you can see, only my two test users have been synced

Azure AD Connect 19

And in the groups, only my two test groups are synced too.

Azure AD Connect 20

While you are here, please take the time to check out our software products for Azure, VMWare, Hyper-V and SCCM.