Forum Discussion
Entra Cloud Sync Not Applying Assigned OU Filters
Hi, Ken.
Filtering (or scoping - it's all the same) can be done at two distinct levels:
- Domain and organisational unit;
- User and device (computers are technically derived from user objects).
You can perform filtering on either, both or neither. What gets synchronised is the sum of both settings - i.e. one does not override the other.
Using my AAD Connect configuration from my partner environment to illustrate, you can see I have filtered synchronisation down to just a couple of organisational units. AAD Connect will not look outside of the selected organisational units.
And here is the user and device filtering, where you can see the "synchronise all users and devices" option (despite the fact I'm not using it). Let's assume I had used the first option, as most people (including yourself) would do.
Putting these two settings together, we can say that AAD Connect will synchronise:
- All users and devices
- From the selected organisational units.
Selecting "all users and devices" does not mean that users and devices from outside the selected organisational units will be synchronised, as they won't.
Cheers,
Lain
- Thanks for the clear clarification of this question. And would you say that this also applies to the Entra Cloud Sync version as well? In that setup, you create the filters based on your needs with OUs and/or groups and then when you enable the sync, it will sync all but only those that meet the criteria of the filters?
KenYes, organisational unit and group filtering work the same way in Cloud Sync.
Technically, you can achieve more complex attribute-level filtering in AAD Connect (and it's bigger brother, Microsoft Identity Manager), but if per organisational unit and/or group filtering are sufficient, Cloud Sync will meet your needs.
Cheers,
Lain
