Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.
Why look at Domain and OU Filtering
When installing Azure AD Connect with Express Settings, all objects in the on-premises Active Directory environment are synchronized to Azure AD. This may include objects that you don’t need in Azure AD and it may include sensitive objects that you don’t want in Azure AD.
Over the years, many organizations have segmented their Active Directory environments using (sub-) domains and Organizational Units (OUs). This existing segmentation can be reused with Azure AD Connect to provide a means to segment the organization into:
- Domains, containers and OUs to include in the scope of Azure AD Connect, and thus synchronize to Azure AD, and;
- Domains, containers and OUs to leave on-premises.
Reasons why
You might want to exclude domains, containers and OUs from the scope of Azure AD Connect to keep objects on-premises only, because:
- The objects are privileged accounts on-premises and you want to divide on-premises privileges from cloud privileges. In this you’ll create separate privileged accounts to use with the cloud privileges;
- The objects are groups that you use to provide access to on-premises resources, without any strategy to migrate these resources to the cloud, or with a distinct strategy to migrate the resources over at a later stage (and start synchronizing the groups at the later stage);
- You have no interest in the Hybrid Azure AD Join feature and want your devices to be merely Active Directory domain-joined. In this case, OUs and containers with devices do not need to be in scope for Azure AD Connect.
- The objects are sensitive, like the objects in the Domain Controllers OU (for those rare Windows Server installations that have the userCertificate attribute filled…), etc.
Possible negative impact (What could go wrong?)
As organizations evolve, so do their needs. The comfort of being ‘all-in’ in terms of objects in Azure AD might be a reason to become and remain ‘all-in’. There will be no need to reconfigure Azure AD Connect to add the domains, containers and/or OUs in scope for Azure AD Connect to enable new scenarios.
In organizations, the people responsible for Azure AD Connect, might not be the same people who manage Active Directory. When the latter group thinks up a new OU structure and doesn’t notify the Azure AD Connect people, objects may start falling out of scope, and automatically get deleted in Azure AD, hurting productivity.
Getting Ready
To use Domain and OU Filtering to limit the objects in scope for Azure AD Connect, meet the following requirements:
System requirements
Make sure you run the latest generally available version of Azure AD Connect.
Privilege requirements
You’ll need to have local privileges on each Windows Server running Azure AD Connect. You’ll need to be member of the local ADSyncAdmins group, or a member of the custom local group you may have selected as the Azure AD Connect Administrators group, during the installation of Azure AD Connect.
On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.
Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.
Who to communicate to
As an Azure AD Connect admin, make sure you communicate to the people managing the on-premises Active Directory environment(s) and the people managing Azure AD for your organization.
How to do it
There are two scenarios in which you may use Domain and OU Filtering to limit the objects in scope for Azure AD Connect:
- Existing Azure AD Connect configurations
- New Azure AD Connect configurations
Existing Azure AD Connect configurations
For existing Azure AD Connect configurations, there are two challenges associated with configuring Domain and OU Filtering:
- Objects appear to have been deleted from Azure AD when removed from the scope of Azure AD Connect, but instead they are stored in the Azure AD Recycle Bin for 30 days. After these 30 days, the objects are kept in a purge stage for 14 days. It may take up to 44 days to actually remove objects out of scope of Azure AD Connect from Azure AD.
- When you remove domains, containers and Organizational Units (OUs) from scope, you may hit Azure AD Connect’s Export Object Deletion Threshold. When this happens, follow the steps outlined in HOWTO: Properly set and manage Azure AD Connect’s Export Deletion Threshold.
Perform the below steps to reconfigure an existing Azure AD Connect installation with Domain and OU Filtering to limit the objects in scope for Azure AD Connect:
- Log on to the Windows Server installation that hosts Azure AD Connect.
- Click on the Azure AD Connect shortcut on the Desktop or the Start Menu.
Alternatively, launch:C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe
- On the Welcome to Azure AD Connect page, click Continue.
- On the Additional tasks page, click on Customize synchronization options.
- Click Next.
- On the Connect to Azure AD page, sign in with an Azure AD-based account with Global Administrator or Company Administrator privileges.
Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM) - When you want to remove entire Active Directory forests from the scope of Azure AD Connect, remove them on the Connect your directories page. Make sure to also remove or reconfigure any service account used by Azure AD Connect in that forest. Click Next when done.
- On the Domain and OU filtering page, select the directory you want to configure filtering for, and select Sync selected domains and OUs. Then, in the field below, tick any domain and/or Organizational Unit (OU) you want to include in the scope of Azure AD Connect.
- On the Optional features page, click Next.
- On the Ready to configure page, click Configure.
- On the Configuration complete page, click Exit to exit the Azure AD Connect configuration wizard and have the synchronization schedule resume.
Perform the above steps on any Staging Mode Azure AD Connect installation you might have, too.
New Azure AD Connect configurations
Perform the below steps to configure a new Azure AD Connect installation with Domain and OU Filtering, for instance with Pass-through Authentication:
- Log on to the Windows Server installation that you intend to run Azure AD Connect.
You might want to reconsider using a Domain Controller for this, as it is not the most brilliant of ideas. - Download Azure AD Connect.
- Double-click AzureADConnect.msi.
- On the Welcome screen, select the I agree to the license terms and privacy notice. option.
- Click the Next button.
- On the Express Settings screen, click the Customize button.
- On the Install required components screen, click Install.
- On the User sign-in screen, select the Pass-through authentication option and the Enable single sign-on option.
- Click Next.
- On the Connect to Azure AD screen, enter the credentials of an account in Azure AD that has been assigned the global administrator role.
- Click the Next button.
Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM).
- On the Connect your directories screen, click Add directory.
The AD forest account pop-up window appears. - Sign in with an account that is a member of the Enterprise Admins group in the Active Directory forest.
- Click OK.
- Back in the Microsoft Azure Active Directory Connect windows, click Next.
- On the Azure AD Sign-in configuration screen, click Next.
- On the Domain and OU filtering page, select the directory you want to
configure filtering for, and select Sync selected domains and OUs. Then,
in the field below, tick any domain and/or Organizational Unit (OU) you want to
include in the scope of Azure AD Connect. - Click Next.
- On the Uniquely identifying your users screen, click Next.
- On the Filter users and devices screen, click Next.
- On the Optional features screen, click Next.
- On the Enable single sign-on screen, click the Enter credentials button.
A Windows Security pop-up appears to enter the credentials for the specified forest. Enter the credentials of an account that is a member of the Domain Admins group for the Active Directory domain for which Seamless Single Sign-on will be configured, or an account that is a member of the Enterprise Admins group in the Active Directory forest, that contains the domain in which Seamless Single Sign-on will be configured. - Click OK.
- Click Next.
- Back in the Microsoft Azure Active Directory Connect windows, click Next.
- On the Ready to configure screen, click Install.
-
- On the Configuration complete screen, click Exit to close the Microsoft Azure Active Directory Connect window and to start synchronization to Azure AD.
- On the Configuration complete screen, click Exit to close the Microsoft Azure Active Directory Connect window and to start synchronization to Azure AD.
Concluding
The Azure AD app and attribute filtering page in the Azure AD Connect Configuration Wizard is only visible when an admin chooses to Customize the Azure AD Connect implementation, instead of using the easy ‘4-click’ Express Settings flow for the Azure AD Connect Configuration Wizard.
While Express may be fast, it might not be the best implementation scenario for most organizations.
Further reading
Azure AD Connect sync: Configure filtering
Azure AD Connect: Custom installation
Azure Active Directory Synchronization: Filtering, Part 1
Azure Active Directory Synchronization: Filtering, Part 2
Fantastic article! Helped me a lot
Can this be done using PowerShell?
I have tons of OUs that need to be ticked, and doing it one by one seems like hard work.
Unfortunately not.
You can however, read the settings using the ContainerInclusionList and ContainerExclusionList properties of the Connector.
Additionally, you can export and import settings, when setting up a Staging Mode Azure AD Connect installation to avoid having to tick and untick OUs on that server.
Thanks for this tutorial.
I would like to know how filter Device on Azure AD Connect. i've test to filter based description attribute , but All Device are synced.