Azure AD Connect - block users that are members of a group, instead of changing attribute?

Question

We are syncing to Azure and have different OUs selected and a couple of additional rules to block users with specific attributes, like being disabled, etc. I am trying to find out if there is a way through the rules editor to simply have a group in AD that blocks those accounts from getting sync'd to Azure?

I know MS does not like using groups and likes to use attributes.., but it would be really nice and simple if we could simply have a group named AzureDeny and anytime we run into a kiosk user account, etc. that we do not want in Azure, etc to simply be able to add it in. We have a lot of accounts and looking for a simple way to delegate this to our helpdesk, without us having to use a script to modify attributes or change our AD org structure around which accounts do not go to Azure, etc. Rules editor has a lot of options, but just not sure if there is a way.

Answer 1

As you probably know, using Group filtering would not be supported beyond basic initial pilot testing, so no, that would not be an option for the long term if you want to be supported.

If you want to use a group, why not create a scheduled Powershell task that checks for any members in that group and then updates a custom attribute of your choosing on the member's AD accounts that filters that account from the sync? I know you don't want to use a script or modify attributes, but that, to me, is a safe and supported method to accomplish this.