Forum Discussion

Deleted's avatar
Deleted
Jan 10, 2020

Azure AD Connect: Filtering out local AD users not working

Hello,

 

we have users in local AD that could be absent for a while and we have to disable their local AD accouns for compliance reasons.

 

Now, due to an active Azure AD sync this will also delete their account in Azure AD / Office 365. I found a neat guide how to exclude users from the AD -> AAD sync by setting a value in a free extensionAttribute and configuring a synchronization rule to set the property "cloudFiltered" to true.

 

This is all explained in this guide https://www.checkyourlogs.net/?p=66483

 

However, when testing it, as soon as I set the extension attribute and perform a delta import, and delta sync on the AD connector in the AAD Synchronization Service it will attempt to completeley delete the persons cloud object. I found out that this is because the "ms-DS-ConsistencyGUID"'s value is removed. I can't figure out why that synchronization rules causes this to occurr. I verified that it must be this rule since I can change any other attribute of the person object and it will update properly. Only when I populate the extensionAttribute configured in the sync rule will the rmoval of the "ms-DS-ConsistencyGUID"'s value be triggered.

 

Any ideas?

 

Thanks.

  • Deleted 

     

    The regular AD Connect flow is as follows:

    - Disable account in AD

    - Account gets disabled in AAD, like below:

    If it's disabled, the Onedrive will still exist

     

    Only if you delete the account, will the account be deleted in AzureAD.

     

    If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.

     

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Disabling the account won't stop the sync by default.

    Do you also change the OU of the account?
    • Deleted's avatar
      Deleted

      Thijs Lecomte Well, no. We simply disable the AD account. And with this sync rule I was hoping that the deletion would not be replicated to AAD removing the account there since this will trigger the deletion of the user's OneDrive which is what we want to avoid when we know that the user will return after a couple of months.

      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor

        Deleted 

         

        The regular AD Connect flow is as follows:

        - Disable account in AD

        - Account gets disabled in AAD, like below:

        If it's disabled, the Onedrive will still exist

         

        Only if you delete the account, will the account be deleted in AzureAD.

         

        If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.

         

Resources