Filtering Users in the Office 365 Directory Synchronization Tool

One of the most important aspects of establishing coexistence with Office 365 is synchronizing an organization’s on-premises Active Directory domain with the directory service in the cloud. The utility Microsoft created to facilitate this critical task is the Office 365 Directory Synchronization Tool (Dirsync). Microsoft released a new 64-bit version of Dirsync in November of 2011. The new version is based on Forefront Identity Manager 2010 where the old 32-bit version was based on Identity Lifecycle Manager 2007 Feature Pack 1. This update makes it possible to run the tool on Microsoft’s latest server operating system, Windows Server 2008 R2.

Although this capability is not new with the latest version of Dirsync, one of the most useful features of this tool is the ability to filter the Active Directory accounts synchronized to Office 365. Many organizations have a large number of application driven accounts, extranet accounts, service accounts or non-mailbox enabled accounts that would only clutter up the Office 365 directory.

The easiest way to implement filtering in Dirsync is to do so before it synchronizes with Office 365 for the first time. So it is very important to remember to uncheck the “Synchronize directories now” box when completing the Microsoft Online Services Directory Synchronization Configuration wizard. After that go to C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell and double-click miisclient.exe to open the FIM 2010 interface.

Open the Properties of the SourceAD Management Agent as illustrated below.

To filter out Organizational Units containing accounts that don’t need to be synchronized, select Configure Directory Partitions on the left-hand pane and then click the Containers button on the right.

Clear the MSOL_AD_Sync account from the credentials prompt and supply domain administrative credentials. Then select the OUs that need to sync with Office 365.

To create more granular filters on searchable criteria, select Configure Connection Filter at the Properties page and Users on the right-hand pane.

For example, the filter illustrated below would omit any users without a mailbox.

Dirsync runs every 3 hours, the first time it syncs it will do so according the filter definitions set in the previous steps. Synchronization activity can then be monitored from the Operations tab of the FIM 2010 interface.

It is also possible to implement Dirsync filtering after the initial sync, but it is more involved and requires greater familiarity with FIM 2010. Credera has extensive experience in designing, planning and implementing Office 365 migrations. If you have questions about this post, upcoming posts or Office 365 in general, please contact us.

• Microsoft
• Exchange Online
• Office 365
• Hybrid
• Microsoft Solutions