Just a quick post today on something that doesn’t seem to be well documented and could be helpful…
AAD Connect is basically Microsoft’s third version of their Directory Synchronization tool for Office 365. While AAD Connect includes more of a “wizard-type” interface for configuration of components such as AD FS, it’s also the current Directory Sync tool.
With each iteration of the Directory Sync tool has come changes; the method of forcing a sync has changed in each version and in the latest version of AAD Connect, we have a new set of default filters.
Below is a summary of the default AAD Connect filters along with two somewhat undocumented filters that could be used to your advantage.
How To See The Filters
You can see the filters by launching the “Synchronization Rules Editor” (“C:\Program Files\Microsoft Azure AD Sync\UIShell\SyncRulesEditor.exe”). At a high-level, you should understand that are basically two types of rules: “Inbound” and “Outbound”. The rules dictate the attribute flow in relation to the AAD Connect metaverse; so “Inbound” rules cover data going into the metaverse and “Outbound” rules cover data coming out of the metaverse.
Default Filters
Most of the default rules are pretty well documented on this page: Azure AD Connect sync: Understanding the default configuration.
As a summary, the default rules will not sync users…
- without a source anchor
- without sAMAccountName populated
- with the sAMAccountName of “SUPPORT_388945a0”
- with a mailNickname that begins with “SystemMailbox{”
- with a sAMAccountName that begins with “AAD_”
- with a mailNickname that begins with “CAS_” and contains “}”
- with a sAMAAccountName that begins with “MSOL_”
The rules will also not sync:
- Mail-enabled Public Folders
- System Attendant Mailboxes
- System Mailboxes
- Discovery Mailboxes
- Exchange Role Groups
- Conflict Objects (DN begins with “\\0ACNF:”)
- Dynamic Distribution Groups
The Not-So-Documented Filters
If you’ve used the “Synchronization Rules Editor” to peek at the default rules, you’ll see there are two filters that can be helpful when needing to exclude adhoc objects.
The inbound rules for users and groups both contain a filter that use the “adminDescription” attribute. If a user has this attribute populated with a value that begins with “User_” or a group has the attribute populated with “Group_”, it will not be synced into the metaverse.
So if you have objects that you don’t want to sync that are buried within an OU in your sync scope, you can use this attribute to filter out these individual objects. Populating the “adminDescription” attribute with the value “User_NoO365Sync” or “Group_NoO365Sync” (depending on the object type) will allow you to easily filter these objects.
There are a couple advantages of using “adminDescription” over a custom filter that sets “cloudFiltered” to “True”. First of all, the filter is already there in the base set so there’s no additional configuration needed in AAD Connect. The second advantage is the object is not pulled into the metaverse like it is with “cloudFiltered”. You’ll occasionally encounter scenarios where you need to purge an object from the metaverse to resolve the issue and just setting “cloudFiltered” will not do this for you.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.
very helpful, thank you