DirSync Filtering

Introduction

If you subscribe to Microsoft Office 365 (with the exception of the Small Business Plan) and your company already has users in a local Active Directory [AD] environment, you can use the Microsoft Online Services Directory Synchronization [DirSync] tool to synchronize those users to your Office 365 directory.

By using DirSync, you can keep your local AD in constant synchronization with Office 365 so that any changes made to users such as contact updates for example, are propagated to Office 365.

This allows you not only to create synchronized versions of each user account and group, but also allows Global Address List [GAL] synchronization from your local Exchange environment to Exchange Online.

Synchronization

Until now, one of the problems of DirSync was that it would sync your entire AD to Office 365. This means that if you had 10,000 AD users and only wanted 500 in Office 365, you would have all 10,000 users listed in Office 365... There were a couple of methods of excluding certain objects, but none supported by Microsoft.

DirSync Filtering has been possible for early Office 365 for Education customers but now it is available to all customers, allowing you to easily exclude Organizational Units [OUs], for example, from being synchronized. Let’s have a look.

DirSync is simply a pre-configured Microsoft Identity Integration Server [MIIS] installation specific for Office 365 integration. What some administrators don’t know is that MIIS can be customized by using the MIIS Client located at:

• 32-bit: %SystemDrive%\Program Files\Microsoft Online Directory Sync\SYNCBUS\UIShell

• 64-bit: %SystemDrive%\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell

WARNING: Before we proceed, please be very careful when using MIIS Client as it can cause harm to your office 365 environment if not used properly!

Filtering

At the time of writing of this post, there are 3 filtering options that can be applied to DirSync:

1. Organizational Units based, which allows you to select which OUs are to be synced to the cloud;

2. Domain based, allowing you to select which domains are synchronized to the cloud;

3. User attribute based, enabling you to control which objects shouldn’t be synchronized to the cloud based on their AD attributes.

NOTE: If you have already run DirSync and synced all your AD into Office 365, the objects that you now filter will no longer be synchronized and will be deleted from the cloud! If you excluded, and subsequently deleted objects because of a filtering error, you can easily re-create them in the cloud by removing the filter and then syncing the directories again.

Organizational Units Based Filtering

1. Log on to the computer that is running DirSync by using an account that is a member of the MIISAdmins local group;

2. Open MIIS by running miisclient.exe;

3. In Synchronization Service Manager, click Management Agents and then double-click SourceAD;

4. Click Configure Directory Partitions and then click Containers;

5. When prompted, enter domain credentials for your on-premises domain and then click OK;

6. In the Select Containers dialog box, clear the OUs that you don’t want to sync;

7. If you click in Advanced... you will be able to further control which OUs to include and exclude;

8. Click OK three times;

9. On the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync and then click OK to perform a full sync;

10. Once finished, you can check the results at the bottom left corner of the window.

Domain Based Filtering

1. Log on to the computer that is running DirSync by using an account that is a member of the MIISAdmins local group;

2. Open MIIS by running miisclient.exe;

3. In Synchronization Service Manager, click Management Agents and then double-click SourceAD;

4. Click Configure Directory Partitions and then select the domains that you want to synchronize. Because in my environment there is only one domain, I only get one domain listed. To exclude a domain simply clear its check box;

5. Click OK;

6. On the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync and then click OK to perform a full sync;

7. Once finished, you can check the results at the bottom left corner of the window.

User Attribute Based Filtering

As the name suggests, this third option can only be applied to user objects. It is possible to filter contacts and groups, but these use other and more complex filtering rules.

To exclude users from filtering, we can utilize around 114 AD attributes. For example, you can set extensionAttribute10 to “noOffice365” for all the users you don’t want to sync and then create a filter rule to exclude these from synchronization. After you configure in AD the attribute you want to look, here’s how you configure MIIS:

1. Log on to the computer that is running DirSync by using an account that is a member of the MIISAdmins local group;

2. Open MIIS by running miisclient.exe;

3. In Synchronization Service Manager, click Management Agents and then double-click SourceAD;

4. Click Configure Connector Filter;

5. Select user in the Data Source Object Type column. In here you can see some examples of accounts being excluded already such as Exchange System mailboxes or the MSOL_AD_Sync account used by DirSync;

6. Click New;

7. In Filter for user, on the Data Source attribute, select extensionAttribute10. For Operator select Equals and then type noOffice365 in the Value field. Click Add Condition and then click OK;

8. Click OK again;

9. On the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync and then click OK to perform a full sync;

10. Once finished, you can check the results at the bottom left corner of the window.

Hope this helps!