Written by: Dan Albright, technical writer for Office 365

Audience: Office 365 for enterprises

You’ve been around the block a time or two. You know what’s up. You can run the Microsoft Online Services Directory Synchronization Tool with your eyes closed. You’ve activated, deactivated, and reactivated Active Directory synchronization so many times you suspect that you’re part cloud.

So you know all about directory synchronization, but do you know how filtering works for directory synchronization? No? Well then, let me learn you a thing!

What is directory synchronization filtering?

Filtering is how the Directory Synchronization Tool determines which objects should be synchronized from your local Active Directory into Microsoft Office 365. 

What is filtered out?

The objects that are filtered out are objects (like the Active Directory service accounts) that have no real use in an online service.  This small set of objects is filtered by default by the Directory Synchronization Tool. Objects present in a customer’s on-premises Active Directory will be excluded from the synchronization process  if they satisfy any of the following conditions:

Contact objects:

• contains "MSOL" in DisplayName
• msExchHideFromAddressLists = TRUE

SecurityEnabledGroup objects:

• isCriticalSystemObject = TRUE

MailEnabledGroups & MailEnabledContacts objects:

• (proxy addresses does not have a primary SMTP address) and (mail not present/invalid - i.e. indexof('@') <= 0)

iNetOrgPerson objects:

• sAMAccountName is not present
• isCriticalSystemObject is present

User objects:

• mailNickName starts with "SystemMailbox{"
• mailNickName contains "{"
• mailNickName starts with "CAS_"
• sAMAccountName starts with "CAS_"
• sAMAccountName has "}"
• sAMAccountName equals "SUPPORT_388945a0"
• sAMAccountName equals "MSOL_AD_Sync"
• sAMAccountName is not present
• isCriticalSystemObject is present

It’s important to note that groups with more than 15,000 members will be filtered out from synchronization with Office 365.

Why are there no custom filters?

If you’re a long time user of the Directory Synchronization Tool, you may have used the Directory Sync Filter File or you may have manually configured filters in the Sync Engine.  These forms of custom filtering are no longer supported. This is because it’s happened in the past that the folks who implement the custom filter aren’t always the folks who manage the user lifecycle.

That means that there are a number of unsupported ways in which a user or group of users can be accidentally deleted. When a user is filtered out, the user account is deleted, their mail is deleted, their Microsoft Lync Online account is gone, and anything else associated with that user in the cloud is gone.

If you find yourself really needing to stop something from syncing and the default filters aren’t helping, check out these instructions.

Still need help with filters? Leave us a comment below or post a question in the forums!