Share via

Modify AD Connect scope

Stefano Colombo 221 Reputation points
2021-11-23T09:19:04.63+00:00

We have enabled the synchronization between on-prem AD to the tenant by choosing all the AD and we have synchronized all the users in different OUs
Now we'd like to have only a subset of users synchronized to the tenant and thought of running again the AD Connect wizard and select to filter the synchronization by Group membership.
Is that the correct way ?
Will the other users, already replicated, being removed from the tenant ?

Are there any other possible impact of doing this ?
thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Vasil Michev 127K Reputation points MVP Volunteer Moderator
2021-11-23T10:37:41.573+00:00

The group-based scoping should only be used at the initial, testing stage of a deployment. In your scenario, use either OU-based or attribute-based filtering, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering
And yes, users that are already replicated to Azure AD and are removed from the sync scope will be deleted, so thread carefully.

Was this answer helpful?

0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.