Configure scoped synchronization from Azure AD to Azure Active Directory Domain Services using the Azure portal

To provide authentication services, Azure Active Directory Domain Services (Azure AD DS) synchronizes users and groups from Azure AD. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Azure AD using Azure AD Connect, and then synchronized to an Azure AD DS managed domain.

By default, all users and groups from an Azure AD directory are synchronized to a managed domain. If you have specific needs, you can instead choose to synchronize only a defined set of users.

This article shows you how to configure scoped synchronization and then change or disable the set of scoped users using the Azure portal. You can also complete these steps using PowerShell.

Before you begin

To complete this article, you need the following resources and privileges:

Scoped synchronization overview

By default, all users and groups from an Azure AD directory are synchronized to a managed domain. If only a few users need to access the managed domain, you can synchronize only those user accounts. This scoped synchronization is group-based. When you configure group-based scoped synchronization, only the user accounts that belong to the groups you specify are synchronized to the managed domain. Nested groups aren't synchronized, only the specific groups you select.

You can change the synchronization scope when you create the managed domain, or once it's deployed. You can also now change the scope of synchronization on an existing managed domain without needing to recreate it.

To learn more about the synchronization process, see Understand synchronization in Azure AD Domain Services.

Warning

Changing the scope of synchronization causes the managed domain to resynchronize all data. The following considerations apply:

  • When you change the synchronization scope for a managed domain, a full resynchronization occurs.
  • Objects that are no longer required in the managed domain are deleted. New objects are created in the managed domain.

Enable scoped synchronization

To enable scoped synchronization in the Azure portal, complete the following steps:

  1. In the Azure portal, search for and select Azure AD Domain Services. Choose your managed domain, such as aaddscontoso.com.
  2. Select Synchronization from the menu on the left-hand side.
  3. For the Synchronization type, select Scoped.
  4. Choose Select groups, then search for and choose the groups to add.
  5. When all changes are made, select Save synchronization scope.

Changing the scope of synchronization causes the managed domain to resynchronize all data. Objects that are no longer required in the managed domain are deleted, and resynchronization may take some time to complete.

Modify scoped synchronization

To modify the list of groups whose users should be synchronized to the managed domain, complete the following steps:

  1. In the Azure portal, search for and select Azure AD Domain Services. Choose your managed domain, such as aaddscontoso.com.
  2. Select Synchronization from the menu on the left-hand side.
  3. To add a group, choose + Select groups at the top, then choose the groups to add.
  4. To remove a group from the synchronization scope, select it from the list of currently synchronized groups and choose Remove groups.
  5. When all changes are made, select Save synchronization scope.

Changing the scope of synchronization causes the managed domain to resynchronize all data. Objects that are no longer required in the managed domain are deleted, and resynchronization may take some time to complete.

Disable scoped synchronization

To disable group-based scoped synchronization for a managed domain, complete the following steps:

  1. In the Azure portal, search for and select Azure AD Domain Services. Choose your managed domain, such as aaddscontoso.com.
  2. Select Synchronization from the menu on the left-hand side.
  3. Change the Synchronization type from Scoped to All, then select Save synchronization scope.

Changing the scope of synchronization causes the managed domain to resynchronize all data. Objects that are no longer required in the managed domain are deleted, and resynchronization may take some time to complete.

Next steps

To learn more about the synchronization process, see Understand synchronization in Azure AD Domain Services.