Planning for filtering Active Directory
When you use Azure AD Connect to synchronize on-premises Active Directory to an Azure Active Directory instance, the default setting is to have all user accounts, group accounts, and mail-enabled contact objects synchronized up to the cloud. For some organizations, synchronizing everything is exactly what they want. Other organizations want to be more selective about which objects are synchronized from the on-premises Active Directory environment to the Azure Active Directory instance that supports the Office 365 tenancy.
With Azure AD Connect, you can choose to filter based on the following options as shown in Figure 4-8:
Domain based In a forest with multiple domains, you can configure filtering so that only objects from some domains, and not others, are filtered.
Organizational unit (OU) based With this filtering type, you choose which objects are filtered based on their location within specific organizational units.
FIGURE 4-8 Domain and OU filtering
You can also configure filtering on the basis of group membership, as shown in Figure 4-9. You can configure separate group based filters for each forest or domain synchronized using Azure AD Connect.
FIGURE 4-9 Filter Users And Devices
While Azure AD Connect will address most organization’s synchronization requirements, the most comprehensive tool that you can use to filter synchronization is the Synchronization Rules Editor, shown in Figure 4-10. You can use this tool to modify existing synchronization rules, but also to create new rules. Rather than configuring synchronization on a per-domain or per-OU basis, you can tailor rules for individual objects and specific Active Directory attributes.
FIGURE 4-10 Synchronization Rules Editor