Prepare Active Directory for Azure AD Connect

Plan for filtering Active Directory

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

Develop your talent with more than 10,000 online courses from LinkedIn Learning

In this lesson we'll look at the considerations when you are planning for filtering your Active Directory objects before you do your synchronization with Azure Active Directory Connect. Now filtering allows for Active Directory and Office 365 administrators to have a great deal of control over which objects will appear in Azure Active Directory following the synchronization with on-premises Active Directory. So as with a lot of conceptual stuff it really helps to take note of the default behavior and the default configuration when you run the Azure Active Directory Connect tool is that it will take all objects in all domains throughout all of your configured forests in your on-premises Active Directory environment.

So in general this would be the recommended configuration and will be the most practical configuration if you are rolling Office 365 out in a production environment with an existing Active Directory environment. Now why might that be? It's because at the end of the synchronization your users will get the same experience that they would get with an on-premises implementation of Exchange. In other words, they get the same global address list whether they are dealing with an on-premises Exchange or whether they are dealing with Office 365.

In other words, when they go to send an email or make a Skype phone call the contacts that come up are the exact same. And in one last in other words, it makes for a very seamless experience for your end users. They can still send email and call everyone that they're used to emailing and calling. Now sometimes you won't want to sync all of the objects from your Active Directory environment, so that's where the filtering comes in.

So here are some examples that might call for filtering. If you are doing a pilot or proof of concept then you probably don't need to sync your entire Active Directory environment to Azure Active Directory. In a small pilot environment you probably don't have to have the entire global address list to demonstrate that this is a functional solution and that will work when you scale it up to the entire enterprise. Another instance why you might want to implement filtering is that you have service accounts and other nonpersonal accounts that you don't want to port over into your Azure Active Directory environment.

And in another instance where filtering can be helpful is if you have a compliance or legal reason to do so, maybe an auditing reason to do so. So in this example what commonly might happen is that you have users that you need to keep record of in terms of their membership in your Active Directory environment, but you don't necessarily want to synchronize them and if they get synchronized to Office 365 they would possibly be assigned a license for the desktop product and you don't want to do that, but you want to deactivate the accounts as they live your Active Directory database.

In Azure Active Directory you only want to see active accounts. So that might be another instance where you would want to implement filtering. Now when you decide to use filtering during your Active Directory synchronization you could apply these kinds of filters, you can filter for group objects, you can filter for domain objects, organizational units, and attribute-based objects. So when you implement filtering based on a group it's filtering for just a single group or a couple of groups that will be selectable when you run the Active Directory synchronization wizard.

When you do a domain-based filter this let's you select which domains synchronize to Azure Active Directory, so maybe you have a multi-domain forest and you want to select just certain domains. Maybe one domain has all your users or one domain is specific to a geographical location, or a business unit that you want to sync and have Office 365 available to those users, but in another domain there either aren't any users or it's a different business unit that doesn't need Office 365, so that might be another instance where domain filtering can come in handy.

Organizational unit, it allows you to select exact organizational units to synchronize with Azure Active Directory. And then finally, attribute-based is just what it sounds like. Maybe you want all of the user accounts with the attribute Bryan, or the attribute managers, or something like that. So you can bring specific attributes that match in your Active Directory and sync just those with Azure Active Directory with Office 365.

In addition, you can combine filters. So you can choose to sync only certain users from certain domains in certain organizational units in your on-premises Active Directory forest. So for further information on this I recommend that you do a search in your favorite search engine for Azure ad filtering. What you're looking for is this document right here that runs you down the whole list of considerations when you are planning for filtering Active Directory.

In terms of actually doing it you're going to see that later on in this course. And to give you a preview of that I've gone ahead and opened up my Windows Server environment and started to run the Azure Active Directory Connect tool. And you can see here that as I step through the wizard I will be asked questions about either Domain/OU Filtering and some other Filtering options that we just discussed here. So this is the place where you actually configure that filtering that we just talked about.

And, as with most things, the button clicking is a lot easier than getting the concepts solid in your mind.

LinkedIn Learning

LinkedIn Learning is an online learning platform that combines industry-leading content from Lynda.com with LinkedIn’s professional network of more than 500 million member profiles to provide highly personalized course recommendations and a more intuitive learning experience. Learn more.

Benefits

  • Learn from recognized industry experts, and get the business, tech, and creative skills that are most in demand.

  • Receive personal recommendations based on your LinkedIn profile.

  • Stream courses from your computer or mobile device.

  • Take courses for every level – beginner to advanced.

  • Practice while you learn with quizzes, exercise files, and coding windows.

  • Provide learning for your team or entire organization, with an easy to use experience for managing users, curating content and measuring engagement


For businesses with 150+ licenses Request Office 365 onboarding assistance from FastTrack

You can request remote and personalized assistance with onboarding. Our FastTrack engineers will help you plan your Office 365 project, assess your technical environment, provide remediation guidance, and provide user adoption assistance. For businesses with at least 500 licenses, Microsoft also provides personalized assistance to migrate data to Office 365.

See the FastTrack Center Video: http://aka.ms/meetfasttrack

Get started today: http://fasttrack.microsoft.com

Tip: Businesses with 1-149 licenses still have access to FastTrack guidance via links in the Admin Center and also available at https://aka.ms/setupguidance.

Network and system admins can prepare on-premises directories and connect to Azure to take advantage of managing Office 365 groups and users using common identities. Preparation, setup, and administration steps are demonstrated in this course using the Azure Active Directory (AAD) Connect tool. This course is designed to provide you with a better understanding of domain controllers, identity management, synchronization, and more. This course is also an exam preparation resource with topics that map to a corresponding domain in the Office 365 70-346 exam: Managing Office 365 Identities and Requirements.

Topics include:

  • Active Directory Connect and Office 365

  • Planning for non-routable domain names

  • Cleaning up Active Directory objects

  • Using the IDFix tool

  • Filtering Active Directory

  • Using AAD install

  • Synchronizing passwords and attributes

  • Creating and managing users and groups

  • Scheduling and forcing AD synchronization

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×