Configure Filtering with AADSync

Updated on 28 August 2015

IMPORTANT: AAD Connect has replaced AADSync and DirSync. Reference: Azure Active Directory Sync

+++++

NOTE: On 16 April 2015, the latest version of AADSync was released, and is available here to download here.

NOTE: As of 27 October 2014, password synchronization is available with AADSync version 1.0.0470.1023 (refer to AAD Sync Version Release History).

Alright! Now that we know a little about Azure Active Directory Synchronization Services (AADSync), its requirements, and how to install and configure it, we are going to learn how to configure basic filtering with AADSync in this post. The end goal is to synchronize only the AD objects we need rather than all of them to Office 365.

If you hadn’t noticed by now, the default installation and configuration settings we used to implement AADSync (in my previous post) synchronized the entirety of our on premise AD user and group objects to the Office 365 account. This can create some confusion, frustration, and a lot of busy-ness that can be distracting to some administrators.

Filtering in AADSync can be a relatively simple task and for this post we will keep it simple by implementing organizational unit (OU) based filtering.

NOTE: This post supposes the OUs have been structured in such a way that the domain users and groups (all non-default objects) are consolidated into a handful of top-level OUs (which may include sub-OUs) and not the default OUs or containers. If not, I strongly recommend that you consider it for OU-based filtering.

As I understand it, the default synchronization configuration is domain-based filtering. By default, the top-level of the AD structure is selected along with all OUs and containers.

WARNING! Probably the most important thing we need to understand before proceeding is that though filtering can be configured at any time, if we have any users or groups previously synchronized to O365 (and they do not reside in our target OUs), it could be possible those O365 users will be “deleted”, as they will no longer by synchronized from the source (AD). I use the word deleted in “quotes” because the groups are removed from O365 but if there was a user account in O365 that was assigned a license, those licenses will be removed and the user (along with the associated mailbox) will be placed in the Deleted Users section of the Office 365 Admin Center. However, these users can be reinstated (undeleted) after the fact. But, please take care before to understand the on premise OU structure before proceeding,

First, we will stop the process that synchronizes the on premise AD objects to O365.

• Login to the AADSync server with an account that has been assigned as a member of the ADSyncAdmins local group. This will be the account we used to install AADSync.
• Open Task Scheduler to disable the scheduled task for Azure AD Sync Scheduler. Though not documented by Microsoft, it will be good not to have synchronization running while we are configuring filtering. This task will be enabled after we have completed the steps.

Second, we will configure our AD connector in the Synchronization Service (FIM) for filtering.

• Open the Synchronization Service Manager (e.g. Synchronization Service icon).
• Click on the Connectors tab, located just below the menu bar.
• Highlight and open the properties of the Active Directory Domain Services (ADDS) connector type. This will be the connector for your local AD domain.
• Within the properties of the connector, select Configure Directory Partitions from the menu on the left.
• Click on the Containers button and provide the credentials of the account we created based on the AADSync requirements and click OK.
• In the Select Containers window, you may notice that the top-level domain (e.g. DC=domain,DC=local) is selected (default). We need to deselect the checkbox so nothing is selected now.
• In my lab, I created a single OU with several sub-OUs that I moved all my users, groups and computers into. I selected only this specific OU to be the source of my filter for the connector. Click OK to complete the container selection.
• Click OK to complete the configuration of the directory partitions.

Third, we will run a manual synchronization.

• From within the Synchronization Service Manager, again highlight the ADDS connector type and click Run from the Actions on the right (or from the Actions on the menu bar).
• In the Run Connector window, select Full Import and click OK.
  • Note the state of the connector changed from Idle to Running. Wait for the state to change back to Idle before proceeding. The state will update automatically.
• For the same ADDS connected, click Run again but this time select Delta Synchronization and click OK.
  • Again, wait for the connector state to change back to Idle before continuing.
  • NOTE: These tasks may not actually synchronize the changes to O365. Please proceed to the next tasks.

Lastly, we will re-enable the process that synchronizes the on premise AD objects to O365.

• Open Task Scheduler to enable the scheduled task for Azure AD Sync Scheduler.
• With Azure AD Sync Scheduler task selected, click Run to start the full synchronization task. (Or you can wait until the next scheduled run time–which could be in 3 hours.)
  • NOTE: The changes that were synchronized in the third step will now be updated in O365.

The above tasks will provide a basic level of synching of on premise AD objects to O365 based on OU filtering. After completing the above tasks (for my lab implementation), it greatly reduced the number of users and groups in O365 from ~100 objects to less than 10 that I now need to manage.

If your environment is a bit more complicated, attribute-based filtering may be a better option.

Have fun!

 

Related Article(s):

• Azure Active Directory Synchronization Services (AADSync)
• Requirements for AADSync
• Installing AADSync
• Multi-Forest Deployment with AADSync
• Uninstalling AADSync
• Force Sync to Office 365 with AADSync
• AADSync Updates
• AADSync Version History

Reference(s):

• Configure filtering