Sign up for Office 365
Learn more about Office 365
Hi folks,
I've seen posts and questions about support for filtering throughout the forums. Here's a wiki post that will help clear up what is supported, and what is not, with respect to filtering in the Microsoft Online Services Directory Synchronization Tool.
While configuration of custom filtering in the Microsoft Online Services Directory Synchronization Tool is no longer supported, the directory synchronization tool performs some basic filtering of Active Directory objects based on well-known patterns. Objects present in a customer’s on-premise Active Directory that satisfy any of the following conditions, will be excluded from the synchronization process:
Contact objects:
- contains "MSOL" in DisplayName
- msExchHideFromAddressLists = TRUE
SecurityEnabledGroup objects:
- isCriticalSystemObject = TRUE
MailEnabledGroups & MailEnabledContacts objects:
- (proxy addresses does not have a primary SMTP address) and (mail not present/invalid - i.e. indexof('@') <= 0)
iNetOrgPerson objects:
- sAMAccountName is not present
User objects:
- mailNickName starts with "SystemMailbox{"
- mailNickName contains "{"
- mailNickName starts with "CAS_"
- sAMAccountName starts with "CAS_"
- sAMAccountName has "}"
- sAMAccountName equals "SUPPORT_388945a0"
- sAMAccountName equals "MSOL_AD_Sync"
Note: Customers that have previously configured custom filters in the directory synchronization tool, either via the filter file or directly via the Identity Lifecycle Manager (ILM) UI, should find alternate means for preventing Active Directory objects from synchronizing to Microsoft Office 365.
Additionally, any groups (Distribution Lists or Security Groups) with more than 15,000 members will not be synchronized from the on-premise Active Directory to Office 365.
0 out of 1 people found this post helpful.
We really need better filtering options, please. I'm seeing accounts for disabled users, service accounts, etc. showing up in the users list and it's pretty annoying. Is there really no way we can configure DirSync to only sync accounts found in specific OU(s)?
This does seem like a huge miss. This is telling me I'm going to have to go back through a 100 + users and edit some obscure attribute to get them out of the list.
You should fire the *** who thought it would be a good idea not to support scoping/filtering for dirsync. What a ridiculous idea.
I've seen methods on how to accomplish it scattered around the web, but there's always someone to point out that it's not supported and something awful might happen if you try. But what I want to know is; what's the risk? Can I somehow destroy the on-premises AD or something?
Guys, this a HUGE problem!!!!
It's incredible that filtering is not supported, I fully agree with the previous comments. When I will tell this to my client, this will probably lead to a NO GO decision for Office 365 until this is modified.
Is it possible to tell us when an update to the DirSync tool will be published, that enables filtering?