AD Connect attribute-based filter on proxyaddresses

%3CLINGO-SUB%20id%3D%22lingo-sub-2789896%22%20slang%3D%22en-US%22%3EAD%20Connect%20attribute-based%20filter%20on%20proxyaddresses%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2789896%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20create%20an%20attribute-based%20filter.%20The%20goal%20is%20to%20only%20synchronize%20users%20with%20a%20proxyaddresses%20ending%20with%26nbsp%3B%40mytestdomain.com%2C%26nbsp%3B%40myothertestdomain.com%20and%20%40mydomain.onmicrosoft.com.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20after%20reviewing%20the%20documentation%20from%20the%20link%20below%2C%20I%20am%20left%20with%20more%20questions.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sync-configure-filtering%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sync-configure-filtering%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20thinking%20about%20implementing%20a%20%22positive%20filter%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20section%20for%20%22positive%20filter%22%20states%20that%20we%20must%2C%20%22%3CSPAN%3Eoverride%20the%20default%20filter%20in%20the%20out-of-box%20rule%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EIn%20from%20AD%20-%20User%20Join%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20examining%20the%20default%20rule%20%22In%20from%20AD%20-%20User%20Join%22%20that%20rule%20has%20a%20link%20type%20set%20to%20Provision.%3C%2FP%3E%3CP%3EHowever%2C%20the%20example%20states%20to%20set%20the%20link%20type%20to%20join.%20That%20default%20rule%20appears%20to%20filter%20out%20critical%20system%20objects%20and%20a%20few%20other%20accounts%20so%20I%20want%20to%20make%20sure%20I%20don't%20mess%20things%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20I%20should%20just%20leave%20this%20rule%20in%20place%20and%20create%20rules%20with%20a%20lower%20precedence%2C%20duplicate%2C%20disable%20the%20original%20rule%2C%26nbsp%3B%20follow%20the%20instructions%20and%20change%20the%20link%20type%2C%20or%20do%20something%20else%20completely.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeems%20like%20it%20might%20be%20something%20fairly%20common%20to%20do%2C%20filter%20based%20on%20the%20proxyaddresses%20attribute%20but%20I%20can%20seem%20to%20find%20much%20on%20this%20topic.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20have%20any%20ideas%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2789896%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eidentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2825431%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20Connect%20attribute-based%20filter%20on%20proxyaddresses%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2825431%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1168183%22%20target%3D%22_blank%22%3E%40notmynamehere%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20be%20able%20to%20add%20them%20in%20on%20user%20join%20rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22HarriJaakkonen_0-1633671417009.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316132iE70C662D02B00C08%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22HarriJaakkonen_0-1633671417009.png%22%20alt%3D%22HarriJaakkonen_0-1633671417009.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22HarriJaakkonen_1-1633671449390.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316133i0B3F271DE52E9176%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22HarriJaakkonen_1-1633671449390.png%22%20alt%3D%22HarriJaakkonen_1-1633671449390.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22HarriJaakkonen_2-1633671463194.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316134iB36D7EACDEFBB4FA%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22HarriJaakkonen_2-1633671463194.png%22%20alt%3D%22HarriJaakkonen_2-1633671463194.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22HarriJaakkonen_3-1633671475311.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316135iD7A7D433E53B188D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22HarriJaakkonen_3-1633671475311.png%22%20alt%3D%22HarriJaakkonen_3-1633671475311.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EYou%20don't%20need%20to%20add%20the%20tenant%20suffix%20to%20the%20filter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello,

 

I would like to create an attribute-based filter. The goal is to only synchronize users with a proxyaddresses ending with @mytestdomain.com, @myothertestdomain.com and @mydomain.onmicrosoft.com.

 

However, after reviewing the documentation from the link below, I am left with more questions.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filteri...

 

I was thinking about implementing a "positive filter"

 

The section for "positive filter" states that we must, "override the default filter in the out-of-box rule In from AD - User Join"

 

After examining the default rule "In from AD - User Join" that rule has a link type set to Provision.

However, the example states to set the link type to join. That default rule appears to filter out critical system objects and a few other accounts so I want to make sure I don't mess things up.

 

I'm not sure if I should just leave this rule in place and create rules with a lower precedence, duplicate, disable the original rule,  follow the instructions and change the link type, or do something else completely.

 

Seems like it might be something fairly common to do, filter based on the proxyaddresses attribute but I can seem to find much on this topic. 

 

Anyone have any ideas?

 

1 Reply

Hi @notmynamehere,

 

You should be able to add them in on user join rule.

 

HarriJaakkonen_0-1633671417009.png

HarriJaakkonen_1-1633671449390.png

HarriJaakkonen_2-1633671463194.png

HarriJaakkonen_3-1633671475311.png

You don't need to add the tenant suffix to the filter.

 

Hope this helps,