Forum Discussion

Copper Contributor

Jul 10, 2024

Solved

Entra OU sync vs group filtering

Hello, Currently, we are utilising Microsoft 365 Business Standard with a free Entra ID, but we also have a trial version of M365 Business Premium that I would like to test for a couple of users and...

Active Directory (AD)

Azure Active Directory (AAD)

LainRobertson
Jul 10, 2024
EricBBB

Hi, Eric.

There's no categorically right or wrong answer here, but since you've mentioned "testing", I'd recommend using the group filtering option.

You mentioned that AAD Connect is not destructive, and to some extent that is true. But it has to be noted that if through normal Active Directory administration, you scope someone out of synchronisation, they do get soft-deleted by AAD Connect, and under default conditions, that means they will be permanently deleted 30 days after the soft delete.

Once you're ready to exit your test phase, you can readily re-run the configuration wizard (or PowerShell, if you're comfortable with the command line) to no longer use group filtering.

Just make sure you're matching of the on-premise identities to the existing Azure AD identities is solid, or you might face some interesting outcomes if they end up mismatching. This is where group filtering can pay off, since it's harder to "accidentally" scope too many people in or out of synchronisation, and high importance identities - such as executives - can remain confidently immune from such accidents while you're testing.

There's nothing complicated about selecting the organisational units. Just select the ones (a tick will be displayed in their checkbox) you wish to make eligible for synchronisation in the tree. Any that you do not select - or later deselect - will not feature in the synchronisation (where deselection post synchronisation leads back to what I mentioned above about falling out of scope, soft- and permanent deletion).

Cheers,
Lain

EricBBB

Copper Contributor

Jul 11, 2024

I have a thought I need to confirm. If I choose "Sync all domains and OUs" in Domain and OU filtering and then specify a particular security group containing my test users in the Filtering section, and subsequently, the on-premise AD's security group is deleted by mistake, the users within Entra would not be soft-deleted, correct? This is because they are still part of the enabled OU, according to the Venn diagram.

LainRobertson

Silver Contributor

Jul 11, 2024

EricBBB

I'm actually not sure what happens in that situation, as really, that's an error condition, not a scope change.

If the filtering group has been deleted, I'd actually expect synchronisation to completely fail. This means the Venn diagram is irrelevant, and only becomes relevant again once the error has been resolved (by either restoring the group or changing the configuration in the AAD Connect wizard to point to a new group, or through choosing the "synchronise all users and devices" option).

In this scenario, nothing would be deleted from Azure AD, as no changes of any kind would be effected until the error has been resolved.

To mitigate the group deletion scenario, three quick options come to mind:

Enable the "protect object from accidental deletion in Active Directory Users and Computers -shown in Figure 1 below (under the hood, this results in a simple "deny" permission addition to the group);
Explicitly add a "deny" permission to the group;
Ensure the Active Directory Recycle Bin has been enabled (it's quite likely it's already enabled):

You can mix and match these options - you don't have to choose just one.

Figure 1: Protect object from accidental deletion.

Cheers,

Lain