Archives March 2023

Attribute-Based Filtering– Implementing and Managing Identity Synchronization with Azure AD

Another way to prevent objects from being synchronized to Azure AD is using an attribute filter. This advanced method requires creating a custom synchronization rule in the Azure AD Connect Synchronization Rules Editor.

To create an attribute-based filtering rule, select an attribute that isn’t currently being used by your organization for another purpose. You can use this attribute as a scoping filter to exclude objects. The following procedure can be used to create a simple filtering rule:

1.On the server running Azure AD Connect, launch the Synchronization Rules Editor.

    2. Under Direction, select Inbound and then click Add new rule. See Figure 4.11:

    Figure 4.11 – Synchronization rules editor

    3. Provide a name and description for the rule.

    4. Under Connected System, select the object that represents your on-premises Active Directory forest.

    5. Under Connected System Object Type, select user.

    6. Under Metaverse Object Type, select person.

    7. Under Link Type, select Join.

    8. In the Precedence text field, enter an unused number (such as 50) , as shown in Figure 4.12. Click Next.

    Figure 4.12 – Creating a new inbound synchronization rule

    9. On the Scoping filter page, click Add group and then click Add clause.

    10. Under Attribute, select extensionAttribute1 (or whichever unused attribute you have selected).

    11. Under Operator, select EQUAL.

    12. In the Value text field, enter NOSYNC, as shown in Figure 4.13 and then click Next.

      Figure 4.13 – Configuring a scoping filter for extensionAttribute1

      13. On the Join rules page, click Next without adding any parameters.

      14. On the Transformations page, click Add transformation.

      15. Under FlowType, select Constant.

      16. Under Target Attribute, select cloudFiltered.

      17. In the Source text field, enter the value True. Click Add.

        Figure 4.14 – Adding a transformation for the cloudFiltered attribute

        18. Acknowledge the warning that a full import and synchronization cycle will be required by clicking OK. See Figure 4.15:

          Figure 4.15 – Warning for full import and synchronization

          After modifying the synchronization rule, a full import and full synchronization is required. You don’t have to perform any special steps, however; Azure AD Connect is aware of the update and will automatically perform the necessary full imports and synchronizations.

          Monitoring Synchronization by Using Azure AD Connect Health

          Azure AD Connect Health is a premium feature of the Azure AD license. Azure AD Connect Health has separate agent features for Azure AD Connect, Azure AD Health for Directory Services (DS), and Azure AD Health for AD FS.