Forum Discussion
Azure AD Connect: Filtering out local AD users not working
Hello,
we have users in local AD that could be absent for a while and we have to disable their local AD accouns for compliance reasons.
Now, due to an active Azure AD sync this will also delete their account in Azure AD / Office 365. I found a neat guide how to exclude users from the AD -> AAD sync by setting a value in a free extensionAttribute and configuring a synchronization rule to set the property "cloudFiltered" to true.
This is all explained in this guide https://www.checkyourlogs.net/?p=66483
However, when testing it, as soon as I set the extension attribute and perform a delta import, and delta sync on the AD connector in the AAD Synchronization Service it will attempt to completeley delete the persons cloud object. I found out that this is because the "ms-DS-ConsistencyGUID"'s value is removed. I can't figure out why that synchronization rules causes this to occurr. I verified that it must be this rule since I can change any other attribute of the person object and it will update properly. Only when I populate the extensionAttribute configured in the sync rule will the rmoval of the "ms-DS-ConsistencyGUID"'s value be triggered.
Any ideas?
Thanks.
Deleted
The regular AD Connect flow is as follows:
- Disable account in AD
- Account gets disabled in AAD, like below:
If it's disabled, the Onedrive will still exist
Only if you delete the account, will the account be deleted in AzureAD.
If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.
- Rishabh SrivastavaIron Contributor
Deleted
The purpose of setting "cloudFiltered" to "true", is to disable sync of a particular Object.
This rule that you have customized is creating issues.
On-prem disable account will never get deleted from Azure AD, whereas for disabled accounts on prem, "Block Sign in is set to true"https://www.youtube.com/watch?v=cAWgF5QSWcs&list=PL8wOlV8Hv3o8yJgQ-zd6MQs__0jAYDqZ1
- Deleted
Guys thanks for your help. I spoke to a colleague and unbeknownst to me with the disabling the OU was also changed. Can this be configured so that an OU change does not trigger a DELETION or ADD?
Thanks.
- Thijs LecomteBronze ContributorIt probably means that that OU isn't sync'ed to Azure AD so you should add that in the custom filtering: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#organizational-unitbased-filtering
- Thijs LecomteBronze ContributorDisabling the account won't stop the sync by default.
Do you also change the OU of the account?- Deleted
Thijs Lecomte Well, no. We simply disable the AD account. And with this sync rule I was hoping that the deletion would not be replicated to AAD removing the account there since this will trigger the deletion of the user's OneDrive which is what we want to avoid when we know that the user will return after a couple of months.
- Thijs LecomteBronze Contributor
Deleted
The regular AD Connect flow is as follows:
- Disable account in AD
- Account gets disabled in AAD, like below:
If it's disabled, the Onedrive will still exist
Only if you delete the account, will the account be deleted in AzureAD.
If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.