If you need to exclude objects from Azure AD Connect’s synchronization scope, you can do that through a number of different methods:
- Domain and organizational unit-based filtering
- Group-based filtering
- Attribute-based filtering
Let’s quickly examine these.
Domain and Organizational Unit-Based Filtering
With this method, you can deselect large portions of your directory by modifying the list of domains or organizational units that are selected for synchronization. While there are several ways to do this, the easiest way is through the Azure AD Connect setup and configuration tool:
1.To launch the Azure AD Connect configuration tool, double-click the Azure AD Connect icon on the desktop of the server where Azure AD Connect is installed. After it launches, click Configure.
2. On the Additional tasks page, as shown in Figure 4.8, select Customize synchronization options and then click Next.
Figure 4.8 – Additional tasks page
3. On the Connect to Azure AD page, enter credentials for either the Global Administrator or Hybrid Identity Administrator role and click Next.
4. On the Connect your directories page, click Next.
5. On the Domain and OU filtering page, as shown in Figure 4.9, select the Sync selected domains and OUs radio button and then select or clear objects to include or exclude from synchronization.
Figure 4.9 – Azure AD Connect Domain and OU filtering page
6. Click Next.
7. On the Optional features page, click Next.
8. On the Ready to configure page, click Configure.
After synchronization is completed, verify that only objects from in-scope organizational units or domains are present in Azure Active Directory.
Group-Based Filtering
Azure AD Connect only supports the configuration of group-based filtering if you choose to customize the Azure AD Connect setup. Group-based filtering is not available if you perform an express installation.
If you’ve chosen a custom installation, you can choose to limit the synchronization scope to a single group. On the Filter users and devices page of the configuration wizard, select the default radio button, Synchronize all users and devices, to continue without group filtering. You can also choose the Synchronize selected radio button and then enter the name or distinguishedName (DN) of a group that contains the users and devices to be synchronized.
Figure 4.10 – Filter users and devices page
With group-based filtering, only direct members of the group are synchronized. Users, groups, contacts, or devices nested inside other groups are not resolved or synchronized.
Note
Microsoft recommends group-based filtering for piloting purposes only.
Leave a Reply