Office 365: Using AD Connect to sync only specified user accounts

In my last post Office 365: AD Connect we walked through the setup using all of the default options. Now lets take a look at using the custom options and how to sync only selected user accounts.

First why would you want to do this? I find it really useful when a client has an existing 365 setup using cloud accounts and they now want to synchronise their on-premises Active Directory user accounts with the cloud. Using this method you can phase in the changes rather than doing them all at once.

Syncing everything all in one go carries the risk that it creates duplicate user accounts where there are sync errors. Using a custom install of AD Connect gives you more control and allows you to work at your own pace and test as you go.

Lets get started by first creating a new security group that we will use to specify the users that sync with Office 365.

Open up Active Directory Users and Computers right click go to New then select Group.

AADConnect 11

Give your group a suitable name, here I use ADSyncGroup, ensure the type is set to Security then press OK.

AADConnect 12

Now for our lab test I add my own account to the group.

AADConnect 13

Now we have a new sync group in AD lets fire up the AD Connect installer.

ADDConnect 1

Agree to the terms and press Continue.

ADDConnect 2

Here is where we select the Customize option.

ADDConnect 3

We don’t need to worry about the default options here unless you have a real need to change them. I’ve not been in a situation where I have needed to change them so press Install when ready.

ADDConnect 4

The install will only take a minute or two to complete.

ADDConnect 5

Here we specify the method used to authenticate users. Here in the lab we will keep it simple and select Password Synchronization and allow password hashes from the local AD to be passed to 365.

ADDConnect 6

Enter your cloud admin account login details.

ADDConnect 7

Add a local Active directory, enter the credentials for a domain admin and press Add Directory.

ADDConnect 8

If the checks pass you will see your domain listed under Configured Directories.

ADDConnect 9

Here we can leave the defaults as shown but ensure the source anchor is set to objectGUID and the UPN set to userPrincipalName then press Next.

ADDConnect 10

Here is where we select the Active Directory group we created earlier. Just enter the name of the group and click Resolve so the system ad confirm the group and fill in the DN.

ADDConnect 14

Here we can see the group was confirmed so lets press Next.

ADDConnect 15

On the optional features you can configure as required. In our lab we only want the password sync but there are some great features in preview here that are worth knowing about. Lets take a look at what each of these do just in case you haven’t seen them before.

Exchange hybrid deployment: Used to allow an Exchange hybrid setup but specifically allows some exchange attributes to be synchronised back to the on-premises AD.

Azure AD app and attribute filtering: Used to specify what can and cant sync based on specified attributes.

Password hash synchronization: Allows on-premises AD user password hashes to be synchronised into Office 365. This means users can log into the 365 portal using their local passwords.

Password writeback: Allows passwords to be changed in the 365 portal and then synced back to the on-premises AD.

Group writeback: Allows groups to be created in the 365 portal and then synced back to the on-premises AD.

Device writeback: Allows Azure AD registered devices to be synchronised back into the on-premises AD. This then allows those devices to authenticate with on-premises resources.

Directory extension attribute sync: Allows you to sync custom attributes into 365.

ADDConnect 16

Here we select to start the sync at the end of the setup process. Press Install to continue.

ADDConnect 17

Press Exit to finish.

ADDConnect 18

Now lets log into the portal and hay presto! My account as synced and we have avoided all of the clutter that we would have had by syncing everything.

ADDConnect 19

Using this method you can now sync only selected user accounts in a controlled manner.

I hope you found this useful and feel free to leave me a comment.

Author: Ian@SlashAdmin

Share This Post On
468 ad


  1. I went thru this, but my portal does not show Status: Synced with Active Directory.

    In Status, I only show the license. So I am not completely sure how to tell that it has actually worked?

    Post a Reply
  2. How do I check what group was set up to be the required one for users to by synced? I had a look through all options in Azure AD which is already set up but I can’t find anything.

    I can see that Filter objects to synchronize by group is set to disabled though, so does that mean that it will sync any users in that OU regardless of whether they are part of a specific group?


    Post a Reply
    • Hi Dand,

      Yes if the filter objects is disabled then it means everything is being synchronised. This is fine in production because not every account will need licensing. You just add licenses for those accounts you need in Office 365.

      Post a Reply
  3. Once this setup is ran can it be ran again to include Exchange hybrid. I am planning on eventually enabling O365 exchange but right now I only need the other services.

    Post a Reply
  4. This was very helpful. It gets me closer to a goal of setting up an on Premise Active Directory for a client who has an existing O365 tenant and over 200 users. I can now import, and with your steps, sync the passwords to the Local active directory. Thank you!

    Post a Reply
  5. Thanks for such an amazing article, it really helped me a lot while using AD Connect. Please also let me know that if after testing it on certain users I want to sync all the users. How can I do that while maintaining the users in their respective groups on On-prem AD?
    Thanks in Advance!

    Post a Reply

Submit a Comment

Your email address will not be published.