MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Office 365 DirSync Filtering

How many of you knew that we never had an option to partially sync your AD infrastructure to the Microsoft cloud using DirSync tool? Until now, one of the problems of DirSync was that it would sync your entire AD to Office 365. This means that if you had 10,000 AD users and only wanted 500 in Office 365, you would have all 10,000 users listed in Office 365… There were a couple of methods of excluding certain objects, but none supported by Microsoft. With the latest release it is now possible to set a filter and sync your Active Directory using Microsoft Directory synchronization tool.

Introduction

If you subscribe to Microsoft Office 365 (with the exception of the Small Business Plan) and your company already has users in a local Active Directory [AD] environment, you can use the Microsoft Online Services Directory Synchronization [DirSync] tool to synchronize those users to your Office 365 directory.

By using DirSync, you can keep your local AD in constant synchronization with Office 365 so that any changes made to users such as contact updates for example, are propagated to Office 365.

This allows you not only to create synchronized versions of each user account and group, but also allows Global Address List [GAL] synchronization from your local Exchange environment to Exchange Online.

Synchronization

Until now, one of the problems of DirSync was that it would sync your entire AD to Office 365. This means that if you had 10,000 AD users and only wanted 500 in Office 365, you would have all 10,000 users listed in Office 365… There were a couple of methods of excluding certain objects, but none supported by Microsoft.

DirSync Filtering has been possible for early Office 365 for Education customers but now it is available to all customers, allowing you to easily exclude Organizational Units [OUs], for example, from being synchronized. Let’s have a look.

DirSync is simply a pre-configured Microsoft Identity Integration Server [MIIS] installation specific for Office 365 integration. What some administrators don’t know is that MIIS can be customized by using the MIIS Client located at:

  • 32-bit: %SystemDrive%\Program Files\Microsoft Online Directory Sync\SYNCBUS\UIShell
  • 64-bit: %SystemDrive%\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell

WARNING: Before we proceed, please be very careful when using MIIS Client as it can cause harm to your office 365 environment if not used properly!

Filtering

At the time of writing of this post, there are 3 filtering options that can be applied to DirSync:

  1. Organizational Units based, which allows you to select which OUs are to be synced to the cloud;
  2. Domain based, allowing you to select which domains are synchronized to the cloud;
  3. User attribute based, enabling you to control which objects shouldn’t be synchronized to the cloud based on their AD attributes.

NOTE: If you have already run DirSync and synced all your AD into Office 365, the objects that you now filter will no longer be synchronized and will be deleted from the cloud! If you excluded, and subsequently deleted objects because of a filtering error, you can easily re-create them in the cloud by removing the filter and then syncing the directories again.

Organizational Units Based Filtering

  1. Log on to the computer that is running DirSync by using an account that is a member of the MIISAdmins local group;
  2. Open MIIS by running miisclient.exe;
  3. In Synchronization Service Manager, click Management Agents and then double-click SourceAD;


  4. Click Configure Directory Partitions and then click Containers;


  5. When prompted, enter domain credentials for your on-premises domain and then click OK;


  6. In the Select Containers dialog box, clear the OUs that you don’t want to sync;

  7. If you click in Advanced… you will be able to further control which OUs to include and exclude;

  8. Click OK three times;
  9. On the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync and then click OK to perform a full sync;

  10. Once finished, you can check the results at the bottom left corner of the window.


Domain Based Filtering

  1. Log on to the computer that is running DirSync by using an account that is a member of the MIISAdmins local group;
  2. Open MIIS by running miisclient.exe;
  3. In Synchronization Service Manager, click Management Agents and then double-click SourceAD;


  4. Click Configure Directory Partitions and then select the domains that you want to synchronize. Because in my environment there is only one domain, I only get one domain listed. To exclude a domain simply clear its check box;


  5. Click OK;
  6. On the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync and then click OK to perform a full sync;

  7. Once finished, you can check the results at the bottom left corner of the window.

User Attribute Based Filtering

As the name suggests, this third option can only be applied to user objects. It is possible to filter contacts and groups, but these use other and more complex filtering rules.

To exclude users from filtering, we can utilize around 114 AD attributes. For example, you can set extensionAttribute10 to “noOffice365” for all the users you don’t want to sync and then create a filter rule to exclude these from synchronization. After you configure in AD the attribute you want to look, here’s how you configure MIIS:

  1. Log on to the computer that is running DirSync by using an account that is a member of the MIISAdmins local group;
  2. Open MIIS by running miisclient.exe;
  3. In Synchronization Service Manager, click Management Agents and then double-click SourceAD;


  4. Click Configure Connector Filter;

  5. Select user in the Data Source Object Type column. In here you can see some examples of accounts being excluded already such as Exchange System mailboxes or the MSOL_AD_Sync account used by DirSync;

  6. Click New;
  7. In Filter for user, on the Data Source attribute, select extensionAttribute10. For Operator select Equals and then type noOffice365in the Value field. Click Add Condition and then click OK;

  8. Click OK again;
  9. On the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync and then click OK to perform a full sync;

  10. Once finished, you can check the results at the bottom left corner of the window.

Nuno Mota
Microsoft MVP – Exchange server
Team @MSExchangeGuru

keywords: using Office 365 dirsync tool, office 365 dirsync tool, dirsync tool

33 Responses to “Office 365 DirSync Filtering”

  1. Shyam Madeti Says:

    Excellent & Thanks you…

  2. Nuno Mota Says:

    Thank you Shyam! Hope it is useful!

  3. Chandra Sekhar Says:

    Good article…

  4. Nuno Mota Says:

    Thanks Chandra!

  5. Arun Velusamy Says:

    Excellent article Nuno! Was searching for the OU based sync but didnt get anything good. This explains everything step by step!!

  6. Nivi Says:

    Thank you. This helped

  7. Radhakanth Says:

    “”any changes made to users such as passwords or contact updates for example, are propagated to Office 365″”…You mean the possibility to sync passwords exists in DirSync?..Bit confused..please clarify

  8. Nuno Mota Says:

    Hi Radhakanth,
    My sincere apologies for this, that phrase is wrong… Passwords are NOT sync’ed to Office 365 through DirSync!
    I will get this changed as soon as possible.
    Regards, Nuno

  9. Tpull Says:

    We’ve had our dirsync server set up before Microsoft officially supported choosing which directory partitions you want synced. Does the decision to support it come with a dirsync tool update or can we simply configure the management agent as shown above with our current version?

  10. Angel Flores Says:

    Hello, Thank you for the pos.
    Can you help Me?
    Currently licensed users have accounts in Office 365 Exchange, these users were created manually and not synchronized with Dirsync, we need to activate the synchronization service but I am looking for information on whether you can make a Merge or unification between the object created locally in AD and the user of the cloud?

    Thanks for your time.

    Regards.

  11. Dragos Says:

    good article.. just running a full sync with the steps suggested here

  12. Pavel Garmashov Says:

    Domain filtering doesn’t work that way. All you get is failed sync with “missing-partition-for-run-step” error in log.
    Tried on several tenants/forests…

    Only suggestion is create empty OUs in domains you don’t want to sync and select only those in container-based filter.

  13. matt smith Says:

    Very useful. Thank you for taking the time to publish this and do screen shots. The original “unsupported” solution was to use permissions to exclude the dirsync (FIM) service account from specific OUs, but this is a big step forward.

    I hope you will also address password management (reset) and DL management in FIM. Looking forward to your next post.
    Matt

  14. Windows Intune: Selective Active Directory Synchronization | System Management Says:

    […] colleague Mark Blok pointed me to an interesting blog post from MSExchangeGuru.com how to configure select Active Directory synchronization for Office 365. Until now, one of the […]

  15. Mark Says:

    Now that Miisclient has moved to C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell it no longer seems to work. It says ‘unable to connect to the synchronisation service’. I used to use this with ILM for Live@Edu sync but have replaced it with the latest version for Office 365. However, I would like to setup the filtering again.

  16. Radhakanth Says:

    The password SYNC feature as part of O365 DirSync tool is available now. check this out for further details http://technet.microsoft.com/en-us/library/dn246918.aspx

  17. Josh Maher Says:

    The official guidance is posted here:

    http://technet.microsoft.com/en-us/library/jj710171.aspx

  18. Darrell Webster Says:

    Thank you Pavel Garmashov.
    We have a Domain forest with a number of child domains. I wanted to sync users in only one child domain.
    I was seeing the same “missing-partition-for-run-step” error in log.

    I created an empty OU in each domain and selected to sync it, as you suggested. The result was successful syncing. Each domain syncs and the empty OU’s get the other domains to pass a sync too.
    Thanks again.

  19. James Says:

    I’m just curious about filtering.

    From what I can tell from being in the DirSync config at the moment, the connector filter is to EXclude, which would be something along the lines of – do not sync is extensionAttribute11 DOES NOT = ‘YES’.

    What I am aiming for is an INclude into my DirSync filter – essentially – sync only if extensionAttribute11 = ‘YES’.

    I recognise these are more-or-less the, same, which is why I said I’m ‘curious’.

    Also – can anyone say, with the above being set as an EXclude – if I remove the attribute value for a user – will DirSync remove it?

    Thanks in advance!

  20. Tips Says:

    Excellent article and very useful for me.

  21. Office 365 - syncing certain OU's Says:

    […] […]

  22. Joe Sutherland Says:

    Don’t create junk/empty OUs. “If you have removed some domains from the sync by unticking some partitions per these instructions you will then need to remove the corresponding steps from each Run Profile for the MA. Click ‘Configure Run Profiles’ on the SourceAD MA, then go through each looking for Steps where the Partition is shown as a GUID rather than an LDAP path – remove those. You should be left with one step for each domain you are connecting to.” from http://community.office365.com/en-us/forums/613/t/103091.aspx similar comment is made on the official guidance for dirsync filtering technet page: http://technet.microsoft.com/en-us/library/jj710171.aspx

  23. mubarra Says:

    really useful for me. nice article

  24. 70-346 347 Exam Links – Office 365 | Jerry Yasir SharePoint Blog Says:

    […] Office 365 DirSync Filteringhttps://msexchangeguru.com/2012/08/10/office-365-2/ […]

  25. venkataramana Says:

    very good

  26. How To Fix Office 365 Dirsync Error in Windows Says:

    […] Office 365 DirSync Filtering « MSExchangeGuru.com – DirSync Filtering has been possible for early Office 365 for Education customers but now it is available to all customers, allowing you to easily exclude …… […]

  27. Frank Says:

    Great article.. However is it normal that after activating dirsync that a lot of attributes can only be managed via local AD?? for example alias addresses can only be added via EMC or EMS in the local environment! For Hybrid no problem but decommissioning the OnPremise Exchange would be not possible! Any suggestions? Thank you

  28. Nuno Mota Says:

    Hi Frank.
    That is indeed the case. When you activate DirSync/AADSync, the source of authority becomes your local AD, meaning any change needs to be made on-premises. This is why it is recommended to always leave at least one Hybrid server behind after decommissioning your on-prem Exchange environment so you can manage Exchange attributes.

    Best regards, Nuno

  29. Can you exclude an OU in 365 Dirsync Says:

    […] – Filtering OUs to Synchronize to Office 365 | Office 365 Technical Support Blog Office 365 DirSync Filtering « MSExchangeGuru.com […]

  30. Dematri Says:

    HI Nuno,

    Questions:
    a) can we have 2 filtering (OU & user attributes) for an AD running in a forest with one domain name?
    b) what is the best way to design the OU structure for an org?

  31. Nuno Mota Says:

    Hi Dematri,

    a) yes, absolutely! I have worked with several organizations that wanted to do that, especially during the migration phase.
    b) it will depend from organization to organization to be honest… If you have offices in different cities/countries, you can create top OUs per city/country and then OUs for users/servers/etc for each city/country. Have a look at https://technet.microsoft.com/en-gb/magazine/2008.05.oudesign.aspx it will definitely help you!

    Regards,
    Nuno

  32. Dan Says:

    Once i have made the changes and synced Active Directory Connector, do i just wait for the users to delete from Office 365 or can i run a full sync on azure directory too?

    Thanks

  33. Anthony Says:

    Very informative and useful for various scenarios. Keep up the good work!!!

Leave a Reply

Categories

Archives

MSExchangeGuru.com