This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Members,
Good day,
We have a federated domain in Azure. -> eg. fed.dom.lo.com
the AD Connect was set up and it had synchronized all the users in our on-prem domain controller to the Azure.
Assume we had 20k users in the specific OU, which was set for the sync. Now, the change that came in would want us to sync users which have a specific attribute set.
ie, departmentName = xyz and not all.
My doubts are as below,
1.What would happen to the existing users in Azure federated domain, would there be a clean up automatically done? ex, users synced are 20k, but users with attribute are just 3k.
2.How would we do a clean up on Azure domain?
or any better way to achieve this.
Thank you
V
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@Venugopal B Thanks for reaching out. Please find the answers inline.
1) .What would happen to the existing users in Azure federated domain, would there be a clean up automatically done? ex, users synced are 20k, but users with attribute are just 3k.
VS : There are 2 level of filtering which you can do to achieve your Goal.
a) OU level filtering
: You can create a separate OU for all those 3k users which will have the Department attribute filled. And select only this OU for sync scope, this way these 3k users will still sync up but rest all will get deleted. And as suggested by Andy, you would need to use https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes to be able to delete more objects than 500.
b) Attribute level filtering : You can create a new rule and specify that users with department attribute for eg "Sales" or "IT" should sync up but not anyone else.
This require a little more work as this needs to be carefully created and at the same time you will have to disable other sync rules which might be syncing the users.
This is also called Positive Filtering and you can read more about it here : https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-
configure-filtering#positive-filtering-only-sync-these
If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.
@Venugopal B I wanted to follow up and know if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
Yes, the objects in Azure will be deleted if you remove that OU from the sync and the new ones will be added.
However, there is a maximum of 500 deleted objects allowed per sync. If you want AADConnect to delete all 20,000 objects, then follow the article below:
The default value of 500 objects can be changed with PowerShell using Enable-ADSyncExportDeletionThreshold, which is part of the AD Sync module installed with Azure Active Directory Connect. You should configure this value to fit the size of your organization. Since the sync scheduler runs every 30 minutes, the value is the number of deletes seen within 30 minutes.
Thank you anonymous userDavid @VipulSparsh-MSFT : I would choose Positive Filtering
1.We do not have a separate OU for these users.
2. We have only one OU, that contains all the users.
I would update once we are good with the steps.
Thank you for your time and support.