I ran into a customer this week that had a requirement to partially synchronize certain user’s attribute to the cloud due to security concern without interrupting or degradation the service.
I found the following three filtering configuration types that can be applied to the Directory Synchronization tool: (TechNet Article:http://technet.microsoft.com/en-us/library/jj710171.aspx)
- Organizational-unit (OU)–based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the Directory Synchronization tool. This filtering type enables you to select which OUs are allowed to synchronize to the cloud.
- Domain-based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the directory synchronization tool. This type enables you to select which domains are allowed to synchronize to the cloud
- User-attribute–based: You can use this filtering method to specify attribute-based filters for user objects. This enables you to control which objects should not be synchronized to the cloud.
However I could not find some information about how to filter some attributes and partially synchronize the objects. After some testing I found there is an easy way to accomplish that.
Thought of writing the step-by-step process, which might be helpful for some of you.
1. After having installing Windows Azure Active Directory Sync tool and From your DirSync Server navigate to <Drive>\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell
2. Double click on miisclient.exe
3. This opens a console something similar to the below screen capture
4. Click on Management Agents
5. Double click on Active Directory Connector (see next screenshot)
6. Click on Configure Extensions (see next screenshot)
7. Search for the attributes that you are not interested in synchronizing and click delete (see next screenshot) – You may re-add the attribute if needed.
8. Perform a full sync
- On the Management Agent tab, right-click Active Directory Connector, click Run, click Full Import Full Sync, and then click OK.
- Right Click on Windows Azure Active Directory Connector, click Run, click Full Import Full Sync Sync, and then click OK.
- Right Click on Windows Azure Active Directory Connector, click Run, click Export, and then click OK.
9. You can also force run DirSync using the following PowerShell command.
- From your dirsync server open PowerShell console as Administrator
- Navigate to “C:\Program Files\Microsoft Online Directory Sync”
- Run .\DirSyncConfigShell.psc1
- Now execute Start-OnlineCoexistenceSync commendlet.
10. Verify only the Filtered users’s attributes are populated to Office365 from office365 user management.
Note: It is very important to remember that Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle.
ltering configurations after you upgrade, but before you run the first synchronization cycle.