AADconnect, do not sync unknown suffix to default domain in O365

Question

take the following config

On premise AD domain with a UPN suffix of AD.Local
UPN suffix is added for AD.com
Some users are set to use AD.com as their UPN suffix, others are left at AD.local
O365 is configured with a verified doamin of AD.com and the default domain of ad.onmicrosoft.com

in early builds of AADConnect, only accounts with update UPN's of AD,com would be sync'ed.
Now (im not sure exactly when this changed), an account that has AD.local as its UX suffix will be sync'ed and get the default domain suffix in O365... so AD.com

I've searched everywhere i can think of - but i cant find a way to turn this off. We only want accounts with the correct UPN suffix to be sync'ed.... if the UPN suffix is not one matched in O365 - dont sync the account.

Answer

Hello @Ben Wosjke ,

since the first version of ADConnect, all accounts with a not verified domain are synchronized and defined with the default .onMicrosoft.com.

I suppose that a specific rule was done to filter only accounts with the correct domain, or perhaps only Organizational units with accounts well formed were synchronized.

Probably one of these filters have been lost after an update or a reinstallation of ADConnect. Sample of filtering are indicated in this page.

https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering

In your case, you should use attribute filtering on " userPrincipalName" using the operator "ENDSWITH" with the value "@AD.COM".

Regards,

Share via

AADconnect, do not sync unknown suffix to default domain in O365

1 answer

Your answer