Entra Cloud Sync Not Applying Assigned OU Filters

Copper Contributor

I am working to setup Entra Cloud Sync to sync a single OU from my on-premises AD to Entra AD.  I have installed the latest Entra Cloud Sync agent on my single DC and setup the necessary configuration in the Entra Cloud Sync portal area.  I have applied a scoping filter for the single OU that I need to sync for two AD security groups.  This all saves properly.  However, when I go to enable the configuration, I get an overview of what changes will occur and the scoping filters section at the bottom shows clearly "All Users" even though my configuration has defined scoping filters setup.  I cannot proceed with all users as I have some areas and users that I cannot modify AD permissions.  I have deleted and re-setup my configuration multiple times but the same continues.  


Any input and suggestions are appreciated.

Scoping filters
Object scope filters
All users

3 Replies



Hi, Ken.


Filtering (or scoping - it's all the same) can be done at two distinct levels:


  • Domain and organisational unit;
  • User and device (computers are technically derived from user objects).


You can perform filtering on either, both or neither. What gets synchronised is the sum of both settings - i.e. one does not override the other.


Using my AAD Connect configuration from my partner environment to illustrate, you can see I have filtered synchronisation down to just a couple of organisational units. AAD Connect will not look outside of the selected organisational units.




And here is the user and device filtering, where you can see the "synchronise all users and devices" option (despite the fact I'm not using it). Let's assume I had used the first option, as most people (including yourself) would do.




Putting these two settings together, we can say that AAD Connect will synchronise:


  1. All users and devices
  2. From the selected organisational units.


Selecting "all users and devices" does not mean that users and devices from outside the selected organisational units will be synchronised, as they won't.




Thanks for the clear clarification of this question. And would you say that this also applies to the Entra Cloud Sync version as well? In that setup, you create the filters based on your needs with OUs and/or groups and then when you enable the sync, it will sync all but only those that meet the criteria of the filters?




Yes, organisational unit and group filtering work the same way in Cloud Sync.


Technically, you can achieve more complex attribute-level filtering in AAD Connect (and it's bigger brother, Microsoft Identity Manager), but if per organisational unit and/or group filtering are sufficient, Cloud Sync will meet your needs.