Azure AD Connect Filtering |Configure Group based, Domain based, OU based, Attribute based filtering - Part 5

Hello All

Welcome back to the Azure AD connect tool series part 5

In this part , we are going to see the following topics like , what are the types of Azure AD connect filtering and the benefits.

By default, Azure AD connect syncs all the objects from the onprem Active Directory to Azure Active Directory.

With help of Azure AD connect filtering , we can decide and control which object can be sync from onprem Active Directory to Azure AD

Basically there are four types of Azure AD connect filtering available in the AAD tool and Let us see one by one in details 

1. Group Based Filter

2. Domain Based Filter

3. OU based Filter

4. Attribute Based Filter

 

Group Based Filter - Type 1

Let us assume, we have 1000 users objects are available in the environment and business wants to sync only 50 % of the users to sync to Azure AD. that is  500 users

So we can create a security groups and add the 500 users in the member of it and Sync the security groups from onprem Active Directory to Azure AD 

Domain Based Filter - Type 2

By this option, we can decide , which domain object should be sync from onprem Active Directory to Azure Active Directory

Let us assume we have two domains in the environments, cloudmonkeys.xyz and cloudfield.com 

With this feature , business can take call whether they want to  sync the object from cloudmonkeys.xyz or cloudfield.com or both domains 

Organisation Unit [OU] Based Filter - Type 3

In Active Directory, we have lot of Organisation Unit's and the sub Organisation Unit's and inside the OU's we have users, groups, and computers.

If we are not using this Organisation Unit [OU] Based Filter , Onprem AD will sync all the users to AAD by default, however with the help of this Organisation Unit [OU] Based Filter , we can decide which organisation units should be sync from onprem AD to AAD

Syncing scope OU's and Non Syncing scope OU's

The OU's which is showing as Checked are calls Syncing Scope OU's

The OU's which are not checked called Non syncing Scope OU's

One thing we must be aware of the OU based filtering. The scenario is

One user  from sales is already in sync with AAD 

Later Business decide not to sync the Sales OU from Onprem to AAD

What happened to the user who already sync to AAD

The user would be deleted from AAD in the next sync cycle and moved to deleted user container in AAD

Attribute Based Filter - Type 4

This is the most flexible way to sync the object, from there we can apply either inbound filtering  or outbound filtering based on their attributes

Attribute based filter can be configured with the help of synchronisation rules

Example Scenario : Any user object and the corresponding extension attribute 10 contains "NO SYNC" those object should not be synced from Onprem Active Directory to Azure Active Directory.

Will discuss more elaborately , how to create synchronisation rules in coming series with lot of used case scenarios

Important : Disable the scheduler

To perform any kind filtering in Azure AD connect, we must be disable the scheduler first 

The scheduler runs every 30 minutes by default. 

Make sure it is not starting while you are making changes and troubleshooting your new rules.

 To temporarily disable the scheduler, start PowerShell and run Set-ADSyncScheduler -SyncCycleEnabled $false.

 

 Happy Learning 👆🙂