Hoping someone might be able to help me with this. I am implementing a new Azure AD Connect system and I have been trying to find a way to reverse the security group filtering; rather than group membership being a requirement for sync, I would like only users NOT in the group to be synced. 

I have tried editing (copy-edit) the existing In From AD - User Filtering rule and changing the ISNOTMEMBER to ISMEMBER condition, but this doesn't appear to actually do anything, and the security group is ignored until I put the rule back to how it was, where it starts working as default. 

I am looking for an easy way to exclude discrete numbers of users from synchronization that doesn't involve OU Filtering and thought a security group would be the logical choice but this doesn't seem to work. 

Anyone have a similar situation?