Azure AD Sync – Configure attribute based filtering using PowerShell

Most often when synchronizing your directories to AAD, you don’t want all your users to get synchronized. One of the most common methods of filtering out who should get synced and not is by using attributes.
Since AADSync arrived the process of doing this has changed a bit. In this post I will go through how to configure the filtering with PowerShell. Read here about the other methods for filtering objects in AADSync.

In this particular example I will filter out users by the following criteria:

UserPrincipalName DOES NOT END with @365lab.net

I have created a PowerShell function to make the creation a bit easier to configure the filtering. If not specifying a domain with the -DomainName parameter, it will create the rule for all your domains connected to AADSync (if you have more than one). To create a filtering configuration as in my example, just run the cmdlet as below.

New-JDAADSyncFilteringRule -Name "In from AD - User NoSync Filter" `
                           -Attribute "userPrincipalName" `
                           -Value "@365lab.net" `
                           -Operator NOTENDSWITH `
                           -Precedence 50

Please note that the filter is not quite as forgiving as most things usually are nowdays when it comes to case-sensitivity.

New-JDAADSyncFilteringRule

function New-JDAADSyncFilteringRule {
<#
    .SYNOPSIS
        The function will create AADSync filtering rules based on attributes and conditions
    .EXAMPLE
        New-JDAADSyncFilteringRule "Inbound from AD" -Attribute "userPrincipalName" -Value "@365labf.net" -Operator ENDSWITH -Precedence 50
    .NOTES
        File Name: New-JDAADSyncFilteringRule
        Author   : Johan Dahlbom, johan[at]dahlbom.eu
        Blog     : 365lab.net
        The script are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
        Requires PowerShell Version 3.0!
#>
    [CmdletBinding(SupportsShouldProcess=$true)]
    param(
        [Parameter(Mandatory=$true)]
        [String]
        $Name,
        [ValidateScript({Get-ADSyncConnector -Name $_})]
        [string]
        $DomainName,
        [Parameter(Mandatory=$true)]
        [String]
        $Attribute,
        [Parameter(Mandatory=$true)]
        [String]
        $Value,
        [Parameter(Mandatory=$true)]
        [ValidateSet("EQUAL","NOTEQUAL","NOTENDSWITH","ENDSWITH","CONTAINS","NOTCONTAINS")]
        $Operator,
        [Parameter(Mandatory=$true)]
        [int]
        $Precedence

    )
    #Import ADSync Module
    Import-Module ADSync
    #Check if connector/domain name has been provided
    if ($DomainName) {
        $ADConnectors = Get-ADSyncConnector -Name $DomainName
    } else {
        $ADConnectors = Get-ADSyncConnector | Where-Object {$_.Type -eq "AD"}
    }

    foreach ($ADConnector in $ADConnectors) {
        try {
            #Create the Scope Filter Object
            $Scopefilter = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition
            $Scopefilter.Attribute = $Attribute
            $Scopefilter.ComparisonValue = $Value
            $Scopefilter.ComparisonOperator =  $Operator
            #Create the Attribute Flow
            $AttrFlowMappings = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.AttributeFlowMapping
            $AttrFlowMappings.Source = "True"
            $AttrFlowMappings.Destination = "cloudFiltered"
            $AttrFlowMappings.FlowType = "constant"
            $AttrFlowMappings.ExecuteOnce = $False
            $AttrFlowMappings.ValueMergeType = "Update"
            #Add the Scope Filter to a Scope Group
            $ScopeFilterGroup = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeConditionGroup
            $ScopeFilterGroup.ScopeConditionList.Add($Scopefilter)

            $SyncRuleHt = @{
                Connector = $ADConnector.Identifier.Guid
                Name =  $Name
                SourceObjectType = "user"
                TargetObjectType = "person"
                Direction = "inbound"
                AttributeFlowMappings = $AttrFlowMappings
                LinkType = "Join"
                Precedence = $Precedence
                ScopeFilter = $ScopeFilterGroup
            }
            Add-ADSyncRule @SyncRuleHt | Out-Null
            Write-Output "Added the Syncrule $Name ($Precedence) for the attribute $Attribute with the condition $Operator $Value"
        } catch {
            Write-Warning "$_"
        }
    }
}

RESULTS
Using the SyncRulesEditor.exe (or the cmdlet Get-ADSyncRule) in the folder where you have installed AADSync (most commonly C:\Program Files\Microsoft Azure AD Sync\UIShell\) and verify that your settings successfully has been saved/configured.

As always, if you have suggestions for improvements of changes in the scripts or posts, let us know! 🙂
Enjoy!

/Johan

2 thoughts on “Azure AD Sync – Configure attribute based filtering using PowerShell”

Joe Palarchio February 12, 2015 at 18:44

I ran up against this task recently as well…

You might want to consider using the expression method so you can handle any uppercase/lowercase issues; you can also then account for multiple UPN suffixes.

More info here: http://blogs.perficient.com/microsoft/2015/01/office-365-how-to-configure-upn-filtering-in-aadsync/

Reply ↓
1. Johan Dahlbom Post authorFebruary 13, 2015 at 05:46
  
  Thanks for the comment, Joe. Looked into that method as well and it is of course a good method depending on what you want to acheive. Thanks for sharing!
  
  Reply ↓

Tailspintoys – 365lab.net

Office 365, Azure and Microsoft Infrastructure with a touch of PowerShell.

Azure AD Sync – Configure attribute based filtering using PowerShell

2 thoughts on “Azure AD Sync – Configure attribute based filtering using PowerShell”

Leave a comment Cancel reply

Share this:

Related

2 thoughts on “Azure AD Sync – Configure attribute based filtering using PowerShell”

Leave a comment Cancel reply