none
Azure AD Connect atribute filtering out groups

    Question

  • Hi

    I am trying to exclude from synchronizing to cloud groups which attribute "displayname" is empty.

    I tried to make rule in Synchronization Rule Editor, by creating Inbound rule. 

    Goal is to synchronize some groups where users are organized by departments but not all security groups which we use for file shares.

    In Synchronization Manager under Connectors I ran validation Full synchronization and I see under Outbond Synchronization to Azure , Export Attribute flow shows all groups even they do not have DisplayName propertie.
    • Edited by Kaspars_ Wednesday, April 26, 2017 12:20 PM edited pictures
    Wednesday, April 26, 2017 11:48 AM

Answers

  • You have made the rule backwards, which is why it is not working as expected. If you set "cloudFiltered" to true, then it will not be synchronized. If that attribute is null or false, then it will be synchronized to Azure AD. The default behavior is to have this attribute set to null, which will synchronize all groups.

    In your case, change the rules to...

    Scope:
      displayName ISNULL
    Transformation:
      cloudFiltered <- True

    This rule says that "all groups with no displayname should not be synced with Azure AD". The out-of-box rule will synchronize all other groups (those with a displayName).

    • Proposed as answer by Andreas Kjellman Wednesday, May 3, 2017 9:57 AM
    • Marked as answer by Kaspars_ Monday, May 8, 2017 5:17 AM
    Wednesday, May 3, 2017 9:57 AM

All replies