Filter Out Local AD Users to Not Sync with Azure AD

Hey checkyourlogs.net fans, today’s post covers a common “ask” from those synchronizing on-premises Active Directory with Azure AD: how to prevent certain local objects, specifically users, from synchronizing to Azure AD. Use AD Connect’s filtering capabilities, that’s how! In today’s scenario I’m going to prevent the SystemMailbox account created for Exchange from synchronizing to Azure AD. I’ll set a value on an existing, but unused attribute found on the SystemMailbox AD object, then filter based on that new value. Let’s get this done!

Step one is preventing unwanted synchronization while making changes. Do this by disabling the synchronization scheduled task using PowerShell. Open PowerShell, then run:

Set-ADSyncScheduler -SyncCycleEnabled $False

No output indicates success.

Start Synchronization Rules Editor

Look at list of current rules, identify a Precedence value which ISN’T currently used and is lower than existing values (needed later)

Make sure Inbound is selected, then click Add New Rule.

Give the rule a descriptive name, such as “In from AD – User DoNotSyncFilter”

Enter a description for this connector such as “Local AD users to exclude from synchronization with AzureAD”

Select the local AD forest

Select User as the Connected System Object Type

Select Person as the Metaverse Object Type

Select Join for Link Type

Enter a Precedence value that isn’t currently used by another synchronization rule (identify earlier)

Do NOT change Tag, Enable Password Sync, or Disabled settings

Click Next

Add a Scoping Filter by clicking Add group

Click Add clause

Drop down the Attribute select box, click the attribute to filter on, such as ExtensionAttribute6. I often use the ExtensionAttributes because they’re already in the schema, but aren’t assigned values. Feel free to extend your schema with a custom attribute if you prefer.

Drop down the Operator select box and click EQUAL

Enter the attribute value to use identifying accounts to filter, such as “LocalOnly”

Click Next

No need for join rules, click Next

Click Add transformation

Drop down the FlowType select box and click Constant

Drop down the Target Attribute select box and click cloudFiltered

Enter True in Source

Leave Apply Once unchecked

Select Update for Merge Type

Click Add

Pro tip: The new rule appears at the top of the Synchronization Rules Editor since a lower Precedence value was selected and the Synchronization Rules Editor sorts Precedence low to high by default

Close Synchronization Rules Editor

Open Synchronization Service

Click Connectors

Select the Active Directory Domain Services Type Connector

Note the Name of the Windows Azure Active Directory… Type Connector for later use

On the Actions Menu to the right, click Run

Select Full Synchronization

Click OK

Click Operations

Wait for the Full Synchronization job just started to finish…

With filtering configured and in place, it’s time to reenable to synchronization schedule. Within PowerShell, run:

Set-ADSyncScheduler -SyncCycleEnabled $True

Remember, no output indicates success.

Verify the synchronization schedule is enabled, run:

Get-ADSyncScheduler | Format-List SyncCycleEnabled

Output should show

SyncCycleEnabled : True

That’s it! With this in place, any local AD user object with the ExtensionAttribute6 assigned a value of “LocalOnly” won’t synchronize to Azure AD.

Until next time checkyourlogs.net fans, enjoy your IT adventures!

John Sr.