Kevin Bertrand

Heads in the Cloud

ad connect filtered synchronization

Azure AD Connect Default Filter

On

By

kbertrand

In

, ,

A recurring question in my M365/Azure AD Connect projects is „How can we prevent that my whole Active Directory (especially service users, etc.) are synchronised to the Azure Active Directory?“

My answer is always: „You have multiple options and you will be in full control at every moment!“

As this topic comes up every time that I decided to write a blog post about this topic.

Microsoft themselfes h

Why do we want to filter in AD Connect?

Before i show you how to filter your objects, i shortly want to give you an overview, why we want to filter AD Objects in AD Connect.

No. 1: Pilot-Projects, Test-Deployments, …

Most of the time, while the project not even started, the first queston which comes up is “How do we prevent that all users are synchronised and get access to Azure AD Features?”

Some will say something like “Why do you want to do something like that?”. But many customers hold back new features before publishing it to all users in their organization.

No. 2: Service Users, Admin Accounts, …

Next are service users, special admin accounts (and groups) and so on. Many of them are only created to authenticate a device (like a printer) to Active Directory, so they are useless in Azure Active Directory and don’t need to be synced to Azure AD.

The two main reasons, why you want do this are:

  • You want to clean up your Azure AD from unneededclobber
  • You don’t want to get those privileged groups or accounts synchronized to Azure AD

No. 3: Advanced Identity Management

If you have advanced IAM-Processes (something like SoftwareCentral or Matrix42 for example) with self-service shops you don’t want to synchronize all objects, just those who have ordered the functionality.

This comes up mainly in larger enterprises. SMBs don’t even think about it as the cost and time perspective is out of their reach.

What are my possibilities with AD Connect?

  1. Group-based filtering
  2. OU-based filtering
  3. Attribute-based filtering

Group-based Filtering

Group-based filtering options in AD Connect Setup Assistant
Group-based filtering configuration

As a Pilot-Project feature comes Group-based Filtering. As the Microsoft documentation, as well as the installer says, this feature is only recommended to use in test scenarios.

This is not intended for production usage!

With this, you can configure a group, of which all members are synchronized to your Azure AD. Users, as well as groups.

As this is only a pilot feature, you can only configure it while you install Azure AD Connect. After the installation completes there is no possibility to configure this afterwards. The only workaround is a reinstallation of Azure AD Connect!

OU-based filtering

OU-based filtering options in AD Connect Setup Assistant
OU-based filtering configuration

OU-Filtering is the go-to filtering option in most of the scenarios. With this you just configure the Organizational Units in your Active Directory and AD Connect synchronizes all Users, Groups and Computers which reside in them.

If you don’t want to synchronize all users in them, you have to create a sub-OU which then will not synchronize to Azure AD (but still get the GPOs applied).

In larger environments (where you maybe have one OU-substructure per Site) this leads to a bunch more OUs which aren’t needed and increase complexity in your AD Connect configuration.

Attribute-based filtering

adminDescription-Attribute in Active Directory ADSI-Editor
Attribute-based filtering configuration

This is the most complex and most time-consuming filtering option. If you don’t have special IAM-Systems up and running, this option can cost you a lot of time.

But: it can also be a good addition to OU-based filtering!

With the default filtering Rules of AD Connect you can extend OU-based with Attribute-based filtering.

These attributes are not very well documented but can save you a lot of time reorganising your OU-structure.

There are two values, which get filtered out by default.

Users:

AD Connect Synchronization Rules - User adminDescription

Groups:

AD Connect Synchronization Rules - Group adminDescription

With these attributes you can filter additional to OU-based filtering. With this, Users and Groups will be excluded from Azure AD Sync even if they are in scope of the OU-based Filter.

This is extremely useful for service accounts, admin accounts, etc. that you don’t want to sync to Azure AD, even when you have configured an OU-based sync.

Summary

Your go-to option for configuring Azure AD Connect should be OU-based filtering. For special cases (like service accounts, Admin-Accounts, etc.) you can enhance this “basic” filtering with Attribute-based filtering to stop syncing these to Azure AD.

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories

Archives

Tags

aad aadc activedirectory adconnect automation AzureAD azureadconnect docker gitlab linux M365 packer PowerShell