How to: Configure filtering for directory synchronization
How to: Configure filtering for directory synchronization
Published: September 27, 2012
Updated: September 24, 2014
Applies To: Azure, Office 365, Windows Intune
You can enable Active Directory synchronization filtering in Azure Active Directory at any time. If you have already run the default configurations of directory synchronization and then configured the filtering, the objects that are filtered out are no longer synchronized to the cloud. As a result, any objects in the cloud that were previously synchronized but were then filtered out of the synchronization are deleted by the directory synchronization process.
If objects were inadvertently deleted because of a filtering error, you can re-create the objects in the cloud by removing your filtering configurations, and then syncing your directories again.
| Important |
|---|
Microsoft does not support modification or operation of the Directory Sync tool outside of those actions formally documented. The actions documented below in this article are supported. Unsupported actions include:
Any of these actions may result in an inconsistent or unsupported state of the Directory Sync tool and as a result, Microsoft cannot provide technical support for such deployments / usage of the tool.Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle. |
| Note |
|---|
| In this article, Source AD is used as name for your Active Directory Domain Service management agent. Depending on the version of the Directory Sync tool you have installed in your environment, the name of this management agent can also be Active Directory Connector. |
The following three filtering configuration types can be applied to the Directory Synchronization tool:
- Organizational-unit (OU)–based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the Directory Synchronization tool. This filtering type enables you to select which OUs are allowed to synchronize to the cloud.
- Domain-based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the directory synchronization tool. This type enables you to select which domains are allowed to synchronize to the cloud
- User-attribute–based: You can use this filtering method to specify attribute-based filters for user objects. This enables you to control which objects should not be synchronized to the cloud.
- Log on to the computer that is running directory synchronization by using an account that is a member of the MIISAdmins local security group.
- Open Identity Manager by double-clicking miisclient.exe. Its location depends on your version of the Directory Synchronization tool:
- 32-bit: Program Files\Microsoft Online Directory Sync\SYNCBUS\UIShell
- 64-bit: Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell.
- 64-bit (new): C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell
- In Identity Manager, click Management Agents, and then double-click SourceAD.
- Click Configure Directory Partitions, and then click Containers.
- When prompted, enter your domain credentials for the on-premises Active Directory forest.
Note When presented with the credentials dialog box, the MSOL_AD_Sync account will be displayed. This account is using a randomly generated password, so administrators will not know the password. When performing this filtering operation, you should enter an account which has access to the Active Directory forest. The account used here should be an Enterprise Admin. The Enterprise Admin account can view the entire forest and perform the filtering within any domain within the forest. Using a Domain Admin will limit the scope of what the Directory Synchronization tool can view and may not be viable when needing to expand the filter into other domains. - In the Select Containers dialog box, clear the OUs that you don’t want to synch with the cloud directory, and then click OK. Click OK on the SourceAD Properties page.
- Perform a full sync: on the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync, and then click OK.
- Log on to the computer that is running directory synchronization by using an account that is a member of the MIISAdmins local security group.
- Open Identity Manager by double-clicking miisclient.exe. Its location depends on your version of the Directory Synchronization tool:
- 32-bit: Program Files\Microsoft Online Directory Sync\SYNCBUS\UIShell.
- 64-bit: Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell
- In Identity Manager, click Management Agents, and then double-click SourceAD
- Click Configure Directory Partitions, and then select the domains that you want to synchronize. To filter a domain out of the synchronization process, clear the domain’s check box.
- Click OK.
- Perform a full sync: on the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync, and then click OK.
The user attribute-based filtering procedure can be applied to only user objects. Contacts and groups use complex filtering rules that are beyond the scope of this article.
Filtering out specific users requires that you update the user objects in your on-premises organization that you do not want to synchronize to the cloud. You can filter based on any user object attribute.
For example, you could add the string “NoSync” to the extensionAttribute15 user attribute for each user in your on-premises organization that you don’t want to sync to the cloud. In this example, after you have configured the on-premises user, you create a filter rule in Identity Manager to exclude the “NoSync” users from the synchronization process.
The following procedure describes how to configure user filtering using the “NoSync” string on extensionAttrtibute15.
- In Active Directory Users and Computers, in the View menu, select Advanced Features, and then open the property page for the user.
- On the Attribute Editor tab, set extensionAttribute15 to NoSync.
- Log on to the computer that is running directory synchronization by using an account that is a member of the MIISAdmins local security group.
- Open Identity Manager by double-clicking miisclient.exe. Its location depends on your version of the Directory Synchronization tool: 64-bit: Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell.
- 32-bit: Program Files\Microsoft Online Directory Sync\SYNCBUS\UIShell.
- 64-bit: Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell.
- In Identity Manager, click Management Agents, and then double-click SourceAD.
- Click Configure Connector Filter, and then do the following:
- Select user in the Data Source Object Type grid, and then click New.
- In Filter for user, on the Data Source attribute, select extensionAttribute15; for Operator, select Equals, and then type NoSync in the Value field.
- Click Add Condition, and then click OK.
- On the SourceAD properties page, click OK.
- Perform a full sync: on the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync, and then click OK.
Love
Can we use Let's Encrypt, the free and open certificate authority?
Hola! gracias por la info, me sirvió el comando sacandole el nombre del server. En mi caso, fue una migración…
Yes 3rd option helped me too. I removed the WC key Values from config file then started working.
I know this is from 2014. But really, thank you!