Udostępnij za pośrednictwem


AADSync - Configure filtering Part 1

I have had several cases with questions on AADSync Filtering. As a general rule I never use Outbound filtering as these are not saved during upgrade. In this posting we will discuss one of the options used to filter objects as it is described in the msdn article : https://msdn.microsoft.com/en-us/library/azure/dn801051.aspx  by using the cloudFiltered(negative filtering option).

Once you read this article you should take away the following

    • Filter users & groups based on attributes using negative filtering
    • Understand how to test your rules without actually syncing objects to the cloud
    • Utilize the object preview tool within AADSync console  to confirm your rules are correctly configured

Scenario:
In my discussion with the business we want to control who and what makes it to the cloud. In this we only want to create users that have the office items PPG Value this attribute in AD is  ‘physicalDeliveryOfficeName’ . The additional requirement is they do not want any groups created in the cloud.

First lets set the stage:  

clip_image002
(Picture 1) 

Next we installed AAD with all the default sync rules – without running the initial sync steps
- As a note I have also configured the MA to scope to 1 OU to reduce time on sync during demo https://msdn.microsoft.com/en-us/library/azure/dn801051.aspx

Lets begin!

1. Open Sync Rule Editor – This step we will configure the users we want to sync

clip_image003
(Picture 2) 

2. Click New Sync rule 

clip_image004
(Picture 3) 

  1. Give the rule a descriptive name, such as In from AD – User DoNotSyncFilter, select the correct forest, User as the CS object type, and Person as the MV object type. In Link Type select Join and in precedence type a value currently not used by another Synchronization Rule, e.g. 50. Click Next.

clip_image005
(Picture 4) 

  1. In Scoping filter click Add Group, click Add Clause and in attribute select physicalDeliveryOfficeName. Make sure the Operator is set to NOTEQUAL and type in the value PPG in the Value box. Click Next.

clip_image007(Picture 5) 

 

  1. Leave the Join rules empty and click Next.

clip_image009 
(Picture 6) 

 

  1. Click Add Transformation, select the FlowType to Constant, select the Target Attribute cloudFiltered and in the Source text box, type in True. Click Add to save the rule.

clip_image011
(Picture 7) 

To test this we do not just simple run of automated sync as we want to confirm everything is sound. So for this we look at the way Identity management works. So first being a state based system we want to import the objects to the CS(Connector Space) . AD –> CS --> (SYNC RULE) --> MV

7. First lets run a full import

clip_image013 

8. Now that the full import is complete we see out objects

clip_image015

9. Click on the 8 Objects

clip_image017
(Picture 8) 

10.  Now we see all objects staged in the connector

clip_image019
(Picture 9) 

11.  Next in this step we will simulate what a full sync would do for this object , expected result based on our rule is we create the user in the cloud , Select our PPG user and Select Properties

clip_image020
(Picture 10) 

12.  Next we see the staged object  we will then click Preview

clip_image022
(Picture 11) 

13.  Next Click Generate Preview

clip_image024

14.  Once this generate completes you will see several items and I will go into what we are looking at

clip_image026

1. Is what we see in the CS and what sync rules are being apply to the attribute or contributing . Like in the above we see ‘In from AD – User Common’ is contributing to  ‘sAMAccountName’. You will also notice that you do not see our sync rule or attribute being applied and this is confirmed by Item 4 as you will see it not listed.

2. This is the generated  connector object staged to be created

clip_image028

3. This is our original AD connected object. This would tell you if you had any updates being written back to this object if in a hybrid scenario

15.  Let’s now do the same steps for the non PPG user as steps 11-13 above

16.  Now we see a completely different story as we look at the other user type. 

clip_image029

1. Now we see that our scoping filter we defined back in Picture 4 has been applied as the Item 3 says this sync rule is connected .

2. We also notice this object has not created a pending connector for the cloud connector

17.  During steps 10-13 was a simulation on what we expect the Full/Delta sync to do when we decide to run

18. Now we want to do the same for group but exclude groups all together as this was the business rule not to sync any groups in the cloud

19. We will now do same steps in creating the Group sync rule with slight adjustments based on the scenario we do not want to create any groups in the cloud

    1. Make sure Inbound is selected and click Add New Rule.
    2. Give the rule a descriptive name, such as In from AD – Group DoNotSyncFilter, select the correct forest, Group as the CS object type, and Group as the MV object type. In Link Type select Join and in precedence type a value currently not used by another Synchronization Rule, e.g. 51. Click Next.
    3. Leave Scoping filter empty and Click Next. – This means this rule will apply to all Groups
    4. Leave the Join rules empty and click Next.
    5. Click Add Transformation, select the FlowType to Constant, select the Target Attribute cloudFiltered and in the Source text box, type in True. Click Add to save the rule.
  1. Now if we run through the simulation with groups like we did with users we can see that the group is filtered from being created in the cloud

clip_image030

At the end of the day it only takes 2 sync rules to create users only with PPG in the Office attribute and then exclude all groups from being created in the cloud. This is one of 2 option with using attribute based filtering. I will never recommend Outbound filtering as these setting are not kept during upgrade as it says in the article mentioned above.

clip_image032

Comments

  • Anonymous
    January 08, 2015
    Thanks
  • Anonymous
    January 09, 2015
    Great article! :) cool!
  • Anonymous
    January 12, 2015
    Continuing from our previous post AADSync - Configure filtering Part 1 we will now look at using expressions
  • Anonymous
    February 24, 2015
    Hi, don't you need to disable the Scheduling task to prevent AADSync from unattended run, while experimenting with filtering?
  • Anonymous
    February 27, 2015
    The comment has been removed
  • Anonymous
    April 15, 2015
    Very useful information. It just helped us to hide on-premise AD users from O365 GAL without expanding the schema. Many thanks!
  • Anonymous
    June 24, 2015
    Hi David. This is a great article!
    I hope you could drop me some light with a question. Here's the situation.

    Our connector is looking at some specific OUs in our AD. Whenever a user left the company, we're moving the object to another OU. At Office 365 portal I can still see those user accounts being synced although I can't delete them by using the portal (as the option is not clickeable).

    Is there a way to create a OU filter in order to remove the user accounts I don't need in the portal anymore?

    Thanks in advance!
  • Anonymous
    February 04, 2016
    In support we see many cases come through looking to create a customized synchronization rule to adhere
  • Anonymous
    March 01, 2016
    Made a simpe inbound filter that looks at customattribute3 and if it contains "sync" the group/user/device/person is synced to Azure. This works fine. But for some reason it sometimes does not remove the account once customattribute3 is "blank" sometimes it just removes the information on the synced metaverse account and leaves it out there?
  • Anonymous
    March 02, 2016
    Hello again! Tim Macaulay here from the Identity Support team here at Microsoft. Recently I worked through