So I’ve been playing with AADSync attribute filtering. So far we have successfully filtered our lab Azure AD sync by Domain and Organizational Unit. It appears that group membership based filtering is not supported with this version. But according to Microsoft, the Azure AD Connect tool (currently in Preview 2 version) which will eventually replace the current AAD Sync tool should support group membership based filtering.For now, I will adapt the Microsoft example here for my own environment.

In this scenario, we do not want to synchronize users that have a custom attribute ‘ExtensionAttribute15’ value set to ‘nosync’. This implies that in my Active Directory lab environment, all users whose ExtensionAttribute15 is set to ‘sync’ will be synchronized to Azure Office 365.

I started by setting all my lab on premise AD users’ ExtensionAttribute15 custom attribute to ‘nosync’ as indicated in the screenshot:

Get-ADUser -Filter * -Properties * | %{ Set-ADUser -Identity $_ -Add @{ExtensionAttribute15="nosync"}}

I verified this setting on a sample user:

I proceeded to set the ExtensionAttribute15 custom attribute value for a single lab user from ‘nosync’ to ‘sync’ :

PS C:\scripts> Get-ADUser -Identity philipsnyder -Properties * | %{ Set-ADUser -Identity $_ -Replace @{ExtensionAttribute15="sync"}}
PS C:\scripts> Get-ADUser -Identity philipsnyder -Properties * | ft ExtensionAttribute15

ExtensionAttribute15
--------------------
sync


To configure the actual filtering in Azure AD Sync, open up the Synchronization Rules Editor tool. As a rule, I always create inbound rules as recommended by Microsoft. Configuration on inbound from AD is recommended since these configuration settings will be kept even after an upgrade to a newer version.

Select the Inbound Rule Type and click on the Add New Rule button:

Give the rule a name, such as ‘In from AD – User DoNotSyncFilter’, select the correct forest, select User as the Connected System object type, and Person as the Metaverse object type. In Link Type select Join and in precedence type a value currently not used by another Synchronization Rule, e.g. 54. Click Next.

In Scoping filter page, click Add Group, click Add Clause and in attribute select ExtensionAttribute15. Make sure the Operator is set to EQUAL and type in the value nosync in the Value box. Click Next.

Leave the Join rules empty and click Next. Click Add Transformation, set the FlowType to Constant, select the Target Attribute cloudFiltered and in the Source text box, type in True. Click Add to save the rule.

Navigate to the DirectorySyncClientCmd folder and run synchronization manually.

Login to Office 365 portal and verify the user is synchronized to the cloud with status as ‘Synced with Active Directory’

For now, this approach has worked for me. I also made a note to edit and set the filter property to ‘nosync’ for new users.Moving forward, I will test a few scenarios that require an expression. I also intend to test group membership based filtering with the preview 2 version of Azure AD Connect.