Forum Discussion

Anonymous

Jan 10, 2020

Solved

Azure AD Connect: Filtering out local AD users not working

Hello, we have users in local AD that could be absent for a while and we have to disable their local AD accouns for compliance reasons. Now, due to an active Azure AD sync this will also dele...

Azure AD Connect

Thijs Lecomte
Jan 10, 2020
Deleted

The regular AD Connect flow is as follows:
- Disable account in AD
- Account gets disabled in AAD, like below:
If it's disabled, the Onedrive will still exist

Only if you delete the account, will the account be deleted in AzureAD.

If the account is deleted in AAD, when you disable the account in local AD. There must be some misconfiguration because that is done by design.

Rishabh Srivastava

Iron Contributor

Jan 12, 2020

Deleted

The purpose of setting "cloudFiltered" to "true", is to disable sync of a particular Object.

This rule that you have customized is creating issues.
On-prem disable account will never get deleted from Azure AD, whereas for disabled accounts on prem, "Block Sign in is set to true"

https://www.youtube.com/watch?v=cAWgF5QSWcs&list=PL8wOlV8Hv3o8yJgQ-zd6MQs__0jAYDqZ1

Anonymous
Jan 13, 2020
Guys thanks for your help. I spoke to a colleague and unbeknownst to me with the disabling the OU was also changed. Can this be configured so that an OU change does not trigger a DELETION or ADD?

Thanks.
- Thijs Lecomte
  Bronze Contributor
  Jan 13, 2020
  It probably means that that OU isn't sync'ed to Azure AD so you should add that in the custom filtering: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#organizational-unitbased-filtering
  - Anonymous
    Jan 14, 2020
    Thijs Lecomte Got it, thank you!