AAD Connect by attribute issue

Stefano Colombo 221 Reputation points
2022-05-30T13:39:37.417+00:00

We're testing the AD Connect filtering before using it in production environment.

The goal is simple, filtering by user's attribute setting, so we followed this article
https://social.technet.microsoft.com/wiki/contents/articles/54333.azure-ad-connect-customize-sync-options.aspx

Using CASE3

So we created a Catch all rule that blocks all users to be synced and a rule with higher priority that should sync only users with specific attribute set.

However it simply doesn't work, the rule that gets applied is the catch all

I double checked the rule that should enable the sync of some user and looks correct but cannot find why is not working

thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 14,406 Reputation points Microsoft Employee
    2022-06-03T11:57:35.763+00:00

    @Stefano Colombo

    Thank you for reaching out to us. As I understand you have implemented “Use case 3” from article Azure AD Connect : Customize Sync Options - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com).

    As per article you have created 2 different custom rules in AD connect. One rule is to block all users from syncing to Azure AD and one rule is to sync only few users with specific value mentioned in specific attribute.

    I configured the same in my lab and it works as expected. To take this further we will have to check the rule with higher priority.
    You can export the rule by selecting the rule and clicking on export.

    208206-screenshot-2022-06-03-143544.png

    The rule should look something like below,

    New-ADSyncRule \-Name 'Selected User Sync'
    -Identifier 'e80fa9f6-5931-43ed-9b4d-b814180dfe26' \-Description 'Selected User Sync'
    -Direction 'Inbound' \-Precedence 89
    -PrecedenceAfter '00000000-0000-0000-0000-000000000000' \-PrecedenceBefore '00000000-0000-0000-0000-000000000000'
    -SourceObjectType 'user' \-TargetObjectType 'person'
    -Connector 'e4212bf2-c549-4145-91c9-e719a705019e' \-LinkType 'Join'
    -SoftDeleteExpiryInterval 0 \-ImmutableTag $null
    -OutVariable syncRule

    Add-ADSyncAttributeFlowMapping \-SynchronizationRule $syncRule[0]
    -Source @('False') \-Destination 'cloudFiltered'
    -FlowType 'Constant' \-ValueMergeType 'Update'
    -OutVariable syncRule

    New-Object \-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition'
    -ArgumentList 'extensionAttribute1','sync','EQUAL' `
    -OutVariable condition0

    Add-ADSyncScopeConditionGroup \-SynchronizationRule $syncRule[0]
    -ScopeConditions @($condition0[0]) `
    -OutVariable syncRule

    Add-ADSyncRule `
    -SynchronizationRule $syncRule[0]

    Get-ADSyncRule `
    -Identifier 'e80fa9f6-5931-43ed-9b4d-b814180dfe26'

    You can compare the rule and let me confirm if it is configured correctly.

    1 person found this answer helpful.
    0 comments