question

sc2111 avatar image
0 Votes"
sc2111 asked sc2111 answered

AD Connect Attribute Filtering

I'm trying to configure AD Connect Attribute filtering as per the following Article.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering?msclkid=cf6842aed07b11ecbd50beed41b05e54#attribute-based-filtering

Using the "positive filtering" but it seems not working at all.
I've created a filter rule as in example using the extendedattribute15 and also tried the attribute "department" but it won't work.
Can anyone help me on that ?
thanks
SC

azure-ad-connect
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@sc2111 ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Hi @sc2111 ,

Thank you for reaching out.

I believe you may have created two separate Sync rules as described in that article, first sync rule to set 'cloudfillter' as False for specific set of users you wanted to synchronise to the Azure AD and second rule ("In from AD – User Catch-all filter") to set 'cloudfillter' as True for all users. Also, second rule's precedence has a higher value than first rule, i.e., if you configured first sync rule with 50 and second rule configured with any value greater than 50 example 51.

Furthermore, I would like you to perform the following steps on the Azure AD connect server which helps us in isolating the problem.


1) Check to see if you can find a user object using metaverse search from Azure AD connect. If you cannot locate the user object, proceed to step 2. If you are able to locate the user, ensure that the user object has the 'cloudfillter' attribute propulated and the value set to 'False,' indicating that a sync rule you created was taking effort.

201795-image.png

If you don't see the cloudfillter attribute for the user object, there may be a problem with the newly created sync rule. It is, however, worthwhile to RUN a FULL sync on the Azure AD connect server using the cmdlet 'Start-ADSyncSyncCycle -PolicyType Initial'.

2) If you've configured domai or OU level filtering, make sure the user object is included and hit Sync. Scope

Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-attribute-not-syncing

Kindly update me of the outcome so that I can better assist you with this case.


image.png (22.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sc2111 avatar image
0 Votes"
sc2111 answered

Hello @sikumars-msft

"I believe you may have created two separate Sync rules as described in that article, first sync rule to set 'cloudfillter' as False for specific set of users you wanted to synchronise to the Azure AD and second rule ("In from AD – User Catch-all filter") to set 'cloudfillter' as True for all users. Also, second rule's precedence has a higher value than first rule, i.e., if you configured first sync rule with 50 and second rule configured with any value greater than 50 example 51."

You're right I've created the first rule to filter by the attribute (precedence 50 ) and the second rule as catch-all rule ( precedence 90 ) , then I disabled the default rule ( precedence 100)
207572-image.png


The filter for the rule is as follow
207560-image.png

The metaverse search for the "test" users reported them
207526-image.png

The user that should sync is as follow
207515-image.png

The user that should be filtered out is as follow
207546-image.png

Thanks


image.png (24.5 KiB)
image.png (8.4 KiB)
image.png (17.2 KiB)
image.png (15.6 KiB)
image.png (14.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sc2111 avatar image
1 Vote"
sc2111 answered

Hello @sikumars-msft
I think that answering to your question I found my mistake.
I thought that creating the two filter rules I needed to disable the default one, but I was obviously wrong.
Enabling it back all is working as expected now.
thanks for your input anyway
Best regards
Stefano

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.