In this lesson we'll look at the considerations when you are planning for filtering your Active Directory objects before you do your synchronization with Azure Active Directory Connect. Now filtering allows for Active Directory and Office 365 administrators to have a great deal of control over which objects will appear in Azure Active Directory following the synchronization with on-premises Active Directory. So as with a lot of conceptual stuff it really helps to take note of the default behavior and the default configuration when you run the Azure Active Directory Connect tool is that it will take all objects in all domains throughout all of your configured forests in your on-premises Active Directory environment.

So in general this would be the recommended configuration and will be the most practical configuration if you are rolling Office 365 out in a production environment with an existing Active Directory environment. Now why might that be? It's because at the end of the synchronization your users will get the same experience that they would get with an on-premises implementation of Exchange. In other words, they get the same global address list whether they are dealing with an on-premises Exchange or whether they are dealing with Office 365.

In other words, when they go to send an email or make a Skype phone call the contacts that come up are the exact same. And in one last in other words, it makes for a very seamless experience for your end users. They can still send email and call everyone that they're used to emailing and calling. Now sometimes you won't want to sync all of the objects from your Active Directory environment, so that's where the filtering comes in.

So here are some examples that might call for filtering. If you are doing a pilot or proof of concept then you probably don't need to sync your entire Active Directory environment to Azure Active Directory. In a small pilot environment you probably don't have to have the entire global address list to demonstrate that this is a functional solution and that will work when you scale it up to the entire enterprise. Another instance why you might want to implement filtering is that you have service accounts and other nonpersonal accounts that you don't want to port over into your Azure Active Directory environment.

And in another instance where filtering can be helpful is if you have a compliance or legal reason to do so, maybe an auditing reason to do so. So in this example what commonly might happen is that you have users that you need to keep record of in terms of their membership in your Active Directory environment, but you don't necessarily want to synchronize them and if they get synchronized to Office 365 they would possibly be assigned a license for the desktop product and you don't want to do that, but you want to deactivate the accounts as they live your Active Directory database.

In Azure Active Directory you only want to see active accounts. So that might be another instance where you would want to implement filtering. Now when you decide to use filtering during your Active Directory synchronization you could apply these kinds of filters, you can filter for group objects, you can filter for domain objects, organizational units, and attribute-based objects. So when you implement filtering based on a group it's filtering for just a single group or a couple of groups that will be selectable when you run the Active Directory synchronization wizard.

When you do a domain-based filter this let's you select which domains synchronize to Azure Active Directory, so maybe you have a multi-domain forest and you want to select just certain domains. Maybe one domain has all your users or one domain is specific to a geographical location, or a business unit that you want to sync and have Office 365 available to those users, but in another domain there either aren't any users or it's a different business unit that doesn't need Office 365, so that might be another instance where domain filtering can come in handy.

Organizational unit, it allows you to select exact organizational units to synchronize with Azure Active Directory. And then finally, attribute-based is just what it sounds like. Maybe you want all of the user accounts with the attribute Bryan, or the attribute managers, or something like that. So you can bring specific attributes that match in your Active Directory and sync just those with Azure Active Directory with Office 365.

In addition, you can combine filters. So you can choose to sync only certain users from certain domains in certain organizational units in your on-premises Active Directory forest. So for further information on this I recommend that you do a search in your favorite search engine for Azure ad filtering. What you're looking for is this document right here that runs you down the whole list of considerations when you are planning for filtering Active Directory.

In terms of actually doing it you're going to see that later on in this course. And to give you a preview of that I've gone ahead and opened up my Windows Server environment and started to run the Azure Active Directory Connect tool. And you can see here that as I step through the wizard I will be asked questions about either Domain/OU Filtering and some other Filtering options that we just discussed here. So this is the place where you actually configure that filtering that we just talked about.

And, as with most things, the button clicking is a lot easier than getting the concepts solid in your mind.

