AAD Connect Exchange Hybrid write-back filtering

%3CLINGO-SUB%20id%3D%22lingo-sub-206428%22%20slang%3D%22en-US%22%3EAAD%20Connect%20Exchange%20Hybrid%20write-back%20filtering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206428%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20way%20in%20AAD%20Connect%20tool%20to%20filter%20the%20accounts%20being%20'written-back'%20to%20AD.%20We%20have%20Exchange%20Hybrid%20configuration%20and%20AAD%20Connect%20is%20writing-back%20some%20attributes%20to%20AD.%20However%2C%20we%20don't%20want%20this%20write-back%20for%20some%20selected%20user%20accounts.%20Can%20this%20be%20done%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-206428%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-207583%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Connect%20Exchange%20Hybrid%20write-back%20filtering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207583%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20simply%20remove%20those%20users%20out%20of%20the%20sync%20scope%2C%20why%20do%20you%20need%20them%20in%20O365%20anyway%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-207348%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Connect%20Exchange%20Hybrid%20write-back%20filtering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207348%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20some%20admin%20accounts%20in%20AD%20which%20are%20synced%20to%20O365.%20Team%20is%20reluctant%20(and%20understandably%20so)%20to%20give%20the%20AAD%20Connect%20tool%20the%20write-back%20permissions%20on%20these%20accounts.%20None%20of%20these%20accounts%20have%20any%20license%20in%20O365%20and%20aren't%20meant%20to%20be%20used%20for%20emails%20in%20on-prem%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20have%20found%20so%20far%20is%20that%20there%20is%20no%20way%20to%20exclude%20these%20accounts%20from%20'write-back'%2C%20at%20least%20not%20in%20a%20way%20that's%20supported%20by%20Microsoft.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20found%20any%20workaround%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-206577%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Connect%20Exchange%20Hybrid%20write-back%20filtering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206577%22%20slang%3D%22en-US%22%3EAdditionally%2C%20those%20attributes%20written%20back%20are%20required%20for%20the%20Exchange%20Hybrid%20to%20work.%20If%20you%20were%20to%20edit%20those%20or%20unsync%20them%2C%20those%20objects%20could%20potentially%20break%20over%20the%20hybrid.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-206494%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Connect%20Exchange%20Hybrid%20write-back%20filtering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206494%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20only%20way%20I%20can%20think%20of%20achieving%20this%20is%20by%20editing%20the%20sync%20rules...%20which%20will%20put%20you%20in%20unsupported%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Is there any way in AAD Connect tool to filter the accounts being 'written-back' to AD. We have Exchange Hybrid configuration and AAD Connect is writing-back some attributes to AD. However, we don't want this write-back for some selected user accounts. Can this be done?

4 Replies
Highlighted

The only way I can think of achieving this is by editing the sync rules... which will put you in unsupported scenario.

Highlighted
Additionally, those attributes written back are required for the Exchange Hybrid to work. If you were to edit those or unsync them, those objects could potentially break over the hybrid.
Highlighted

We have some admin accounts in AD which are synced to O365. Team is reluctant (and understandably so) to give the AAD Connect tool the write-back permissions on these accounts. None of these accounts have any license in O365 and aren't meant to be used for emails in on-prem either.

 

What I have found so far is that there is no way to exclude these accounts from 'write-back', at least not in a way that's supported by Microsoft.

 

Anyone found any workaround;

Highlighted

So simply remove those users out of the sync scope, why do you need them in O365 anyway?