question

sc2111 avatar image
0 Votes"
sc2111 asked sandeg-MSFT commented

AAD Connect by attribute issue

We're testing the AD Connect filtering before using it in production environment.

The goal is simple, filtering by user's attribute setting, so we followed this article
https://social.technet.microsoft.com/wiki/contents/articles/54333.azure-ad-connect-customize-sync-options.aspx

Using CASE3

So we created a Catch all rule that blocks all users to be synced and a rule with higher priority that should sync only users with specific attribute set.

However it simply doesn't work, the rule that gets applied is the catch all

I double checked the rule that should enable the sync of some user and looks correct but cannot find why is not working

thanks

azure-active-directoryazure-ad-connect
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@sc2111

I wanted to check if you have any further questions regarding this query?

if the issue is resolved, please "Accept the answer" if the provided information helped you. This will help us and others in the community as well.

0 Votes 0 ·

1 Answer

sandeg-MSFT avatar image
1 Vote"
sandeg-MSFT answered

@sc2111


Thank you for reaching out to us. As I understand you have implemented “Use case 3” from article Azure AD Connect : Customize Sync Options - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com).

As per article you have created 2 different custom rules in AD connect. One rule is to block all users from syncing to Azure AD and one rule is to sync only few users with specific value mentioned in specific attribute.

I configured the same in my lab and it works as expected. To take this further we will have to check the rule with higher priority.
You can export the rule by selecting the rule and clicking on export.

208206-screenshot-2022-06-03-143544.png

The rule should look something like below,

New-ADSyncRule -Name 'Selected User Sync'
-Identifier 'e80fa9f6-5931-43ed-9b4d-b814180dfe26' -Description 'Selected User Sync'
-Direction 'Inbound' -Precedence 89
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' -PrecedenceBefore '00000000-0000-0000-0000-000000000000'
-SourceObjectType 'user' -TargetObjectType 'person'
-Connector 'e4212bf2-c549-4145-91c9-e719a705019e' -LinkType 'Join'
-SoftDeleteExpiryInterval 0 -ImmutableTag $null
-OutVariable syncRule


Add-ADSyncAttributeFlowMapping -SynchronizationRule $syncRule[0]
-Source @('False') -Destination 'cloudFiltered'
-FlowType 'Constant' -ValueMergeType 'Update'
-OutVariable syncRule


New-Object -TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition'
-ArgumentList 'extensionAttribute1','sync','EQUAL' -OutVariable condition0 Add-ADSyncScopeConditionGroup
-SynchronizationRule $syncRule[0] -ScopeConditions @($condition0[0])
-OutVariable syncRule


Add-ADSyncRule -SynchronizationRule $syncRule[0] Get-ADSyncRule
-Identifier 'e80fa9f6-5931-43ed-9b4d-b814180dfe26'

You can compare the rule and let me confirm if it is configured correctly.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.