The default installation of Azure AD Connect comes with the also default set of synchronization rules required, to run most customer deployments, but sometimes, especially when you need to synchronize very chaotic AD environments or if multiple companies use a single AD domain, you need to configure not only OU filtering, but also a second layer of AD attribute filtering.
Note, that Microsoft does not support the manipulation of the default rules and after a Azure AD Connect update, the customized rules are possibly gone. Microsoft can also possibly deny support if you encounter synchronization issues, because you have left the “supported configuration” path by changing the default rules!
User filtering by AD attributes
The first recommendation when changing sync rules is, to not change the default rules directly but copy them and make your changes in the copy and not not original rule. That’s important when Microsoft wants you to restore the supported state in case of issues, which is a lot more complicated when you did make changes to the original rules directly.
In the following example, we will configure a negative rule that is filtering out all AD users from our AD domain, that does not have the extensionAttribute6 filled with the String Sync to Azure AD.
Let’s start with the actual configuration to filter users that do not have extensionAttribute6 populated with our desired string:
- Connect top your Azure AD Connect machine via RDP.
- Open Synchronization Rules Editor from the start menu.
- Select the Add new rule button from the upper right.
- Fill in the fields:
- Name: User Sync Filtering to Azure AD
- Connected System: m365experts.net
- Connected System Object Type: user
- Metaverse Object Type: person
- Link Type: Join
- Precedence: 50
- Select Next.
- Select Add group to configure a scoping filter.
- Select Add clause and fill in the following values to the clause:
- Attribute: extensionAttribute6
- Operator: NOTEQUAL
- Value: Sync to Azure AD
- Select Next >.
- Don’t configure any join rules and select Next >.
- Select Add transformation to block objects from sync.
- Fill in the following fields for the transformation clause:
- FlowType: Constant
- Target Attribute: cloudFiltered
- Source: true
- Select Add to finish the creation of the new rule.
The new rule is active, as soon as the next sync cycle is running. Be careful when applying this rule to an productive deployment, because AAD Connect will delete all users that are not matching the sync requirements anymore, because extensionAttribute6 is missing or not configured as exactly as stated in your rule!
Group filtering by AD attributes
Usually, the requirement to configure user filtering by attributes comes hand-in-hand with the requirement to also filter distribution and security group synchronization by AD attributes.
In the next example, we will configure a new rule for filtering AD groups by the extensionAttribute6, that also needs to contain the string Sync to Azure AD. In this case we will not exclude users that are not matching from filtering, but we will only include groups in the sync, that match the filter:
- Open Synchronization Rules Editor from the start menu again.
- Search the existing rules for In from AD – Group Join and select it.
- Select Edit from the bottom buttons.
- Select Yes to create a copy of the rule and disable the default one.
- Change the fields as follows:
- Name: Group Sync Filtering to Azure AD
- Connected System: m365experts.net
- Connected System Object Type: group
- Metaverse Object Type: group
- Link Type: Join
- Precedence: 55
- Select Next.
- Select Add clause to add another scopeing filter:
- Attribute: extensionAttribute6
- Operator: EQUAL
- Value: Sync to Azure AD
- Select Save.
That’s it! In the next full sync cycle, all groups, that are not matching the configured rule, will be removed.