How to prevent disabled accounts from syncing to Azure AD when using AADSync

​I stumbled upon this question on the Azure AD forums at MSDN. Since the AADSync tool is relatively new, and has few changed bits compared to Dirsync, taking on tasks such as this one is rewarding in several ways.

The starting point is of course the documentation, namely the Configure filtering article. The AADSync tool comes with a new rules engine with more options than we had available in Dirsync, which allow you to control every aspect of the sync process. In this case, I choose to adapt one of the examples for attribute based filtering. Here are the relevant steps:

Launch the Synchronization Rules Editor tool, select the Inbound Rule type on the left and press the Add new rule button. On the first page, name the rule and add a description. For Connected system, select the appropriate forest. Connected system object type should be set to User, and the Metaverse object type to Person. Lastly, configure the Link type as Join and set the Precedence of the rule. It should look something like this:

Press Next and continue to the Scoping filter page. Press the Add group button to add a new scoping clause, then the Add clause button and select UserAccountControl for the Attribute. The operator we need in this case is the ISBITSET operator, and we are looking for the value of 2, which corresponds to the relevant flag.

Press the Next button and skip the Join rules page, which will take you to the Transformations page. Press the Add transformation button and select FlowType as Constant. The TargetAttribute we are looking for is the cloudFiltered one, and the value should be set to True in the Source field.

You can now press the Save button and be done with it. Remember that the new rule will take effect only after a Full Sync has been run. After rynning the full sync, you can check the MIISClient to see if the objects have been correctly deprovisioned. First of all, the cloudFiltered attribute should be set to True for any user object that is disabled in the local AD:

This will in turn result in the object being excluded from synchronization, which can be easily confirmed if you switch to the Connectors tab:

And if you look at the Properties here and go to the Lineage tab, you will find out which sync rules took effect on the object:

Now, before you go and start filtering out all your disabled users, remember that excluding an object from the synchronization process will REMOVE the corresponding object in WAAD, so be careful. While this process will work fine if you are just starting with installing and configuring AADSync in your AD, it most certainly will cause you trouble if you decide to implement it in already syncing environment. The main reason behind this is the fact that people that leave the company or go on a long absence usually get their AD accounts disabled, so in case this rule is configured, instead of just disabling the cloud account as well, you will end up deleting it. Don’t say I didn’t warn you! 🙂

This entry was posted in Office 365. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *