MS-100 Microsoft 365 Identity and Services

configure Azure AD Connect object filters

#MS-100 Microsoft 365 Identity and Services

Azure AD Connect is the key tool for integrating your on-premises Active Directory (AD) environment with Azure AD. It offers various functionalities that help to ensure smooth and seamless synchronization.

One of the many features provided by Azure AD Connect is the ability to define object filters. Object filters in Azure AD Connect allow you to specify which objects you want to sync to Azure AD. For instance, one might want to exclude certain users, groups, or organizational units (OUs) from being synchronized to Azure AD.

Table of Contents

Configuring Azure AD Connect Object Filters

Before using object filters, it’s essential to understand that Azure AD Connect syncs all objects in a directory by default. Object filters in Azure AD Connect are designed to help manage exactly what gets synced.

To configure Azure AD Connect object filters, follow these steps:

  1. Open the ‘Azure AD Connect’ application on your server.
  2. From the ‘Tasks’ page, choose the ‘Customize synchronization options’ and then click ‘Next’.
  3. Enter your Azure AD credentials and click ‘Next’.
  4. On the ‘Connect to AD DS’ page, you can add or delete the Active Directory connectors.
  5. After handling your connectors, click the ‘Next’ button.
  6. In the ‘Optional features’ page, make sure to check the ‘Directory extension attribute sync’ option.
  7. Navigate to the ‘Optional features’ page and click ‘Next’.
  8. You’ll find the ‘Domain/OU Filtering’ page where you can customize which objects are synced.
  9. In the ‘Unselected’ box, select the object that you don’t want to sync and click ‘Block’.
  10. Click ‘Next’ to apply the changes.

Examples of Azure AD Connect Object Filters

Excluding a Specific OU

There might be specific OUs in your organization that you don’t want to sync with Azure AD. During the sync configuration, you can exclude these OUs from the sync process. Note that all objects in a deselected OU will be excluded from the sync.

Excluding Specific Objects

Further to excluding an entire OU, you can specify certain user accounts or groups from being synced. To do this, you’d leverage the scoping filter in the Synchronization Rules Editor.

Azure AD Connect Object Filters Best Practices

  1. Regularly reviewing and updating object filters as part of your ongoing management tasks will ensure only required objects are synchronized.
  2. For large organizations, consider custom sync rules that will allow you to filter specific attributes.
  3. Not all changes need Azure AD Connect sync cycle. Only make changes in Azure AD Connect sync cycle if necessary because significant changes may take some time.

Understanding and using Azure AD Connect object filters can help manage the information that is synced to Azure AD from an on-premises AD environment. By selecting only specific objects for synchronization, you can maintain the security and integrity of your organization’s AD structure.

Practice Test

True or False: Azure AD Connect allows you to synchronize on-premises Active Directory objects with the Microsoft Azure cloud.

  • True
  • False

Answer: True

Explanation: Azure AD Connect is a tool that connects functionalities of its predecessor Windows Azure Active Directory Sync (DirSync) and Azure AD Sync Services (AAD Sync) which makes it possible to synchronize on-premises Active Directory objects with Microsoft Azure cloud.

What is the role of object filtering in Azure AD Connect?

  • A) Filters out unwanted objects
  • B) Identifies objected to be transported to Azure
  • C) Both A and B
  • D) None of the above

Answer: C) Both A and B

Explanation: Object filtering in Azure AD Connect helps to determine which objects will transport to Azure and to filter out those objects that are not required.

True or False: Azure AD Connect supports only one-way synchronization, from on-premises Active Directory to Azure AD.

  • True
  • False

Answer: False

Explanation: Azure AD Connect supports two-way synchronization i.e. from on-premises Active Directory to Azure AD and Azure AD to on-premises Active Directory.

To configure object filters in Azure AD Connect, you must use the “AD Connect Configuration Wizard”.

  • A) True
  • B) False

Answer: B) False

Explanation: You must use the “Azure AD Connect Configuration Wizard” to configure object filters in Azure AD Connect, not an “AD Connect Configuration Wizard”.

True or False: Azure AD Connect only syncs user objects.

  • True
  • False

Answer: False

Explanation: Azure AD Connect syncs not only user objects but also group and computer objects from on-premises Active Directory to Azure AD.

Is it possible to set different filters for different domains in Azure AD Connect?

  • A) Yes
  • B) No

Answer: A) Yes

Explanation: Azure AD Connect allows sets different filters for different domains through the use of multiple sync configurations.

True or False: By default, Azure AD connect syncs all objects from the configured domains.

  • True
  • False

Answer: True

Explanation: Azure AD Connect, by default, syncs all objects from the domains that it is configured to sync.

Which of the following objects are possible to filter in Azure AD Connect?

  • A) Users
  • B) Contacts
  • C) Groups
  • D) All of the above

Answer: D) All of the above

Explanation: Azure AD Connect permits the filtering of Users, Contacts, Groups, and other object types as per organizational needs.

Object filtering changes in the Azure AD Connect configuration requires a full synchronization of the databases after the changes.

  • A) True
  • B) False

Answer: A) True

Explanation: After making changes to the object filtering in Azure AD Connect, a full synchronization is required to make sure the changes are reflected in the databases.

You can use PowerShell scripts to customize the syncing process in Azure AD Connect.

  • A) True
  • B) False

Answer: A) True

Explanation: PowerShell scripts provide flexibility to customize the syncing process to fit the specific requirements of the organization in Azure AD Connect.

When configuring object filters, ‘NOT’ operations are allowed in filter configuration expressions.

  • A) True
  • B) False

Answer: B) False

Explanation: ‘NOT’ operations are not allowed in filter configuration expressions. Only ‘AND’ operations are supported in Azure AD Connect.

True or False: Azure AD Connect does not support filtering on attributes.

  • True
  • False

Answer: False

Explanation: Azure AD Connect does support filtering on attributes which allows more specificity and control over what objects are synced.

In Azure AD Connect, sync rules are editable, and new rules can be created as per the need.

  • A) True
  • B) False

Answer: A) True

Explanation: Sync rules are customizable in Azure AD Connect, and new rules can be created to suit the specific needs of an organization.

True or False: Azure AD Connect cannot synchronize password hashes.

  • True
  • False

Answer: False

Explanation: Azure AD Connect can synchronize password hashes which facilitates seamless SSO (Single Sign On) experiences.

Azure AD Connect syncs every minute by default.

  • A) True
  • B) False

Answer: B) False

Explanation: Azure AD Connect syncs at the default frequency of 30 minutes. The frequency can be changed according to organizational requirements.

Interview Questions

What is the primary function of Azure AD Connect?

Azure AD Connect works to sync on-premise Active Directory identities into Azure AD, effectively providing a common identity for users on both the cloud and the on-premise environment.

What are the Azure AD Connect object filters used for?

Object filters in Azure AD Connect are utilized to specify which objects should be synced to Azure AD. This increases efficiency and allows for more control over synchronization.

How can you configure object filters in Azure AD Connect?

Object filters can be configured within the Azure AD Connect wizard. You should select the ‘Customize Synchronization Options’ button, then select the relevant domain and finally, adjust/optimize your filter settings accordingly.

What are some types of object filters you can have in Azure AD Connect?

Azure AD Connect supports two types of object filters: domain-based filters and organizational unit-based filters.

What does an organizational unit-based filter in Azure AD Connect do?

Organizational unit-based filters in Azure AD Connect allow the administrator to select which organizational units (OUs) to synchronize to Azure AD.

What does a domain-based filter in Azure AD Connect do?

Domain-based filters in Azure AD Connect allow the administrator to choose which domains to synchronize to Azure AD.

Is it possible to change the object filters after the initial setup of Azure AD Connect?

Yes, the object filters can be modified after the initial configuration by rerunning the Azure AD Connect wizard and choosing to customize the synchronization options.

Can both domain-based and organizational unit-based filters be applied simultaneously in Azure AD Connect?

Yes, both domain-based and organizational unit-based filters can be used at the same time in Azure AD Connect.

When would you use domain-based filtering in Azure AD Connect?

Domain-based filtering would be used when you want to exclude specific domains from synchronization. It’s a global setting and applies to all synchronization rules.

When would you use organizational unit-based filtering in Azure AD Connect?

Organizational unit-based filtering would be used when you want to exclude certain OUs within a domain from synchronization.

How do you configure organizational unit-based filters in Azure AD Connect?

Organizational unit-based filters can be configured by selecting ‘Customize Synchronization Options’ in the Azure AD Connect wizard. Following this, select the required domain and unselect the OUs you don’t want to synchronize.

Is it possible to set up attribute-based filtering in Azure AD Connect?

Yes, it is possible to set up attribute-based filtering in Azure AD Connect, but it involves manually setting up synchronization rules.

What happens if I deselect an OU from synchronization in Azure AD Connect?

If an OU is deselected from synchronization, the users, groups, and devices within that OU will no longer be synchronized to Azure AD.

Can I preview the results before applying the object filters in Azure AD Connect?

Yes, Azure AD Connect allows you to preview the results before applying the object filters. This can be done through the Synchronization Service Manager.

Can I include or exclude certain types of objects in Azure AD Connect?

Yes, you can choose to include or exclude certain types of objects through Attribute-based filtering by creating custom synchronization rules.

Related Post

MS-100 Microsoft 365 Identity and Services

plan conditional access policies

extutorials.com
MS-100 Microsoft 365 Identity and Services

manage roles in Microsoft 365 admin center

extutorials.com
MS-100 Microsoft 365 Identity and Services

choose between Azure AD Connect and Azure AD Connect cloud sync

extutorials.com

Leave a Reply

Your email address will not be published. Required fields are marked *