With AAD Connect,

The following filtering configuration types can be applied to the Directory Synchronization tool:

  • Group based: Filtering based on a single group can only be configured on initial install using the installation wizard. It is not further covered in this topic.
  • Domain-based: This option enables you to select which domains will synchronize to Azure AD. It also allows you to add and remove domains from the sync engine configuration if you make changes to your on-premises infrastructure after you installed Azure AD Connect sync.
  • Organizational-Unit–based: This filtering option enables you to select which OUs will synchronize to Azure AD. This option will be on all object types in selected OUs.
  • Attribute–based: This option allows you to filter objects based on attribute values on the objects. You can also have different filters for different object types.

You can use multiple filtering options at the same time. For example you can use OU-based filtering to only include objects in one OU and at the same time attribute-based filtering to filter the objects further. When you use multiple filtering methods, the filters use a logical AND between the filters.

Filtering can be applied both on the inbound from Active Directory to the metaverse and outbound from the metaverse to Azure AD. It is recommended to apply filtering on inbound since that is the easiest to maintain. Outbound filtering should only be used if is required to join objects from more than one forest before the evaluation can take place.

Articles about AAD Connect filtering customization:





When a full synchronization is required?


In general, a full synchronization cycle is required because you have added new attributes to both the Active Directory and Azure AD Connector schemas, and introduced custom synchronization rules or modified the OU filtering.