AADConnect: rules to filter Exchange recipients and block “locked” accounts

Every so often I run into a request to help with the creation of a filtering rule for Azure AD Connect. Here are two such recent examples:

Automatically block Office 365 accounts for which the on-prem account is “locked”

If the on-prem account has been locked (for example because of too many bad password attempts), this has no effect on the Office 365 account for the same user. The attribute that designates the user object as locked, “lockoutTime”, is not synced by default to Azure AD, thus Office 365 is never made aware of the lockout. If for whatever reason you want to automatically prevent users from logging to Office 365 once their on-prem account is locked, here’s an example sync rule you can use.

As usual we start by opening the Synchronization Rules Editor tool, located by default under “C:\Program Files\Microsoft Azure AD Sync\UIShell\”. We then go to the Inbound rules section and Add a new rule. Enter a name and description, then select the relevant on-prem domain under Connected system. The AD object type would be User in this scenario and the Metaverse object type is Person. Select Join for the Link Type and give the rule a Precedence lower than the default rules. You can skip the two next pages, as a scoping filter is not necessary in this scenario (although you can certainly add one to limit the effect of this rule to a subset of the user objects). On the Transformations page, select Expression as the FlowType, choose accountEnabled for the Target Attribute and for the source, enter the following expression:


Basically, the rule will check the presence of the lockoutTime attribute and will set the accountEnabled Metaverse attribute accordingly – True if the lockoutTime attribute is not present or has a zero value, and False if it does have a value. Here’s how it should look like:

Azure AD Sync rules

Here’s how the attribute mapping looks via PowerShell:

PS C:\> (Get-ADSyncRule b30bd1f3-9dab-462a-a2e9-896f4d05d186).AttributeFlowMappings

Source : {lockoutTime}
Destination : accountEnabled
FlowType : Expression
ExecuteOnce : False
Expression : IIF(IsNullOrEmpty([lockoutTime]),True,False)
ValueMergeType : Update
MappingSourceAsString : IIF(IsNullOrEmpty([lockoutTime]),True,False)

Filter out Exchange recipients

As a second example, consider a situation where you do not want to sync all the available recipients from your on-prem servers to Azure AD. The rule can look at the msExchRecipientTypeDetails or the msExchRecipientDisplayType attributes and filter out the values that match the desired recipient type. For example, if we are to consider regular distribution groups, the value of the msExchRecipientDisplayType we should be looking at is 1. Unlike the previous example, a Scoping filter is a very good idea for such rule, and to create one we need to press the Add group button on the relevant page, then Add Clause. For the Attribute, select msExchRecipientDisplayType. The Operator should be set to Equal, and the Value to 1. Here’s how it would look like:

Azure AD Sync rules

Skip the Next page, and on the Transformations one, add a new Constant FlowType. For the TargetAttribute, select cloudFiltered. In order to make sure the object does not sync to Azure AD, we need to set the value for this attribute to True, in the Source field. That’s it:

Azure AD Sync rules

Once you create/modify any rule, don’t forget to run a Full dirsync cycle for the changes to be picked up by the sync engine. And in case it wasn’t clear from above, those are exotic examples and should only be used when you have a good reason and most importantly understanding of all the implications.

6 thoughts on “AADConnect: rules to filter Exchange recipients and block “locked” accounts

  1. Tyler says:

    We have Security Enabled Mail Groups that we sync with AD groups. We use them as dynamic email groups, so when an employee leaves and their account is disabled, they are removed from the email group. However, it seems we can either not sync our deactivated users, OR not sync our groups. We need to not sync deactivated users within groups (still keep deactivated mail accounts for users in 365).

    The attribute filter does not let us cloud filter disabled accounts within groups. Do you know if this is possible?

    1. Vasil Michev says:

      Tyler, I don’t think I fully understand your scenario. In general, dynamic groups are not synced, buy you can re-create them directly in O365 and configure the recipient filter as needed.

      If you want to use AAD Connect for this, I suggest you edit the “member” property mapping for any rule that does inbound sync of Groups. Though I’ve never played with this and I’m not sure if it works.

      1. Tegah says:

        Hi do you have an update for the rule IIF(IsNullOrEmpty([lockoutTime]),False,True) to block users who are locked from onpremise

        1. Chika says:

          edit the rule to read : IIF(([lockoutTime])=0,True,False)

          as the former rule sees “0” as a value and locks out the account on Azure AD after a delta sync

  2. Chris says:

    It looks like the rule is backwards! IIF(IsNullOrEmpty([lockoutTime]),False,True) will set “AccountEnabled” to False if lockoutTime is Null or Empty. This will disable all users who are not locked out!

    1. Vasil Michev says:

      Oh, seems I messed up the AccountEnabled and BlockCredential attributes, thanks 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.