Office 365: Using AD Connect to sync only specified user accounts
In my last post Office 365: AD Connect we walked through the setup using all of the default options. Now lets take a look at using the custom options and how to sync only selected user accounts.
First why would you want to do this? I find it really useful when a client has an existing 365 setup using cloud accounts and they now want to synchronise their on-premises Active Directory user accounts with the cloud. Using this method you can phase in the changes rather than doing them all at once.
Syncing everything all in one go carries the risk that it creates duplicate user accounts where there are sync errors. Using a custom install of AD Connect gives you more control and allows you to work at your own pace and test as you go.
Lets get started by first creating a new security group that we will use to specify the users that sync with Office 365.
Open up Active Directory Users and Computers right click go to New then select Group.
Give your group a suitable name, here I use ADSyncGroup, ensure the type is set to Security then press OK.
Now for our lab test I add my own account to the group.
Now we have a new sync group in AD lets fire up the AD Connect installer.
Agree to the terms and press Continue.
Here is where we select the Customize option.
We don’t need to worry about the default options here unless you have a real need to change them. I’ve not been in a situation where I have needed to change them so press Install when ready.
The install will only take a minute or two to complete.
Here we specify the method used to authenticate users. Here in the lab we will keep it simple and select Password Synchronization and allow password hashes from the local AD to be passed to 365.
Enter your cloud admin account login details.
Add a local Active directory, enter the credentials for a domain admin and press Add Directory.
If the checks pass you will see your domain listed under Configured Directories.
Here we can leave the defaults as shown but ensure the source anchor is set to objectGUID and the UPN set to userPrincipalName then press Next.
Here is where we select the Active Directory group we created earlier. Just enter the name of the group and click Resolve so the system ad confirm the group and fill in the DN.
Here we can see the group was confirmed so lets press Next.
On the optional features you can configure as required. In our lab we only want the password sync but there are some great features in preview here that are worth knowing about. Lets take a look at what each of these do just in case you haven’t seen them before.
Exchange hybrid deployment: Used to allow an Exchange hybrid setup but specifically allows some exchange attributes to be synchronised back to the on-premises AD.
Azure AD app and attribute filtering: Used to specify what can and cant sync based on specified attributes.
Password hash synchronization: Allows on-premises AD user password hashes to be synchronised into Office 365. This means users can log into the 365 portal using their local passwords.
Password writeback: Allows passwords to be changed in the 365 portal and then synced back to the on-premises AD.
Group writeback: Allows groups to be created in the 365 portal and then synced back to the on-premises AD.
Device writeback: Allows Azure AD registered devices to be synchronised back into the on-premises AD. This then allows those devices to authenticate with on-premises resources.
Directory extension attribute sync: Allows you to sync custom attributes into 365.
Here we select to start the sync at the end of the setup process. Press Install to continue.
Press Exit to finish.
Now lets log into the portal and hay presto! My account as synced and we have avoided all of the clutter that we would have had by syncing everything.
Using this method you can now sync only selected user accounts in a controlled manner.
I hope you found this useful and feel free to leave me a comment.