AADConnect Undocumented Filters

AADConnect Undocumented Filters


From time to time, you may find that you need to selectively filter out users going to Office 365.  The easiest way to do it is with a scoping filter.  We do have some documents on setting the cloudFiltered attribute in the metaverse to True, but that requires creating new rules.  And, if you’re in an environment with tight change control, you might not be able to do it.  Also, if you have an environment with tens (or hundreds) of thousands of objects, creating a rule requires a full import/sync/export cycle, so definitely not something to be taken lightly.

And this is where your favorite Undocumented Features blog comes in handy.

If you’ll notice carefully, Inbound Synchronization Rules 100 (In from AD – User Join), 104 (In from AD – User Common from Exchange), 106 (In from AD – User Common), 110 (In from AD – Group Join), 111 (In from AD – Group Exchange), and 112 (In from AD – Group Common) all have a built-in scoping filter.


In the case of the user rules:

adminDescription NOTSTARTSWITH User_

and for groups (wait for it…):

adminDescription NOTSTARTSWITH Group_

That’s right. You can crack open ADUC (be sure to flip on Advanced Features before you navigate anywhere, since that’s something we haven’t taken the time to fix in the last 17 years), find a user (well, really navigate to them in the tree, because that is something ELSE we haven’t taken time to fix in the last 17 years), and add User_whatever to the adminDescription attribute.  Or Group_whatever for a group.  I’m sure you could have figured that out.

And the object will be filtered out on the next sync cycle.


Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Reader Comments

    1. It’s only present on User and Group provision rules. None of the Join-only rules would need it, since there’d be nothing to join if the object wasn’t going to be projected. In other news though, we don’t have those built-in scoping filters for InetOrgPerson and Contact objects, which I have forwarded over to the product group. 🙂

  1. Thanks
    and here’ s a workaround for “advance features” when you search for users/groups
    create a saved search, that will have these “advanced” features:) and you can search for whatever you want in ad(just modify the name or whatever your searching for)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.