HOWTO: Use Azure AD App Filtering to limit attributes for the objects in scope for Azure AD Connect

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

 

Why look at Attribute Filtering

When installing Azure AD Connect with Express Settings, all objects in the on-premises Active Directory environment are synchronized to Azure AD with the attributes that allow for all hybrid implementations, including Exchange Hybrid and SharePoint Hybrid. This means that, by default, 151 attributes are synchronized for user (and inetorgperson) objects, if they contain values.

Reasons why

Some of these attributes may contain information that is sensitive for your organization, like secret research project names. Other attributes may contain personal data that is not needed (and therefore, in the spirit of GDPR, unwanted) in Azure AD.

Using Azure AD App Filtering in Azure AD Connect, you can limit the number of attributes synchronized from the on-premises Active Directory environment to Azure AD.

Possible negative impact (What could go wrong?)

As organizations evolve, so do their needs. The comfort of being ‘all-in’ in terms of attributes in Azure AD might be a reason to become and remain ‘all-in’. There will be no need to reconfigure Azure AD Connect when new Hybrid scenarios are introduced to include the attributes needed for the new scenario.

Attribute Filtering comes in two flavors:

  1. Azure AD App Filtering
    Based on 1st-party Azure AD-integrated applications, sets of attributes are available to mix and match. Only the attributes that are required by the specific Azure AD app, or hybrid scenario are synchronized to Azure AD
  2. Attribute Filtering
    Beyond Azure AD App Filtering, admins can restrict the attributes that are synchronized for objects in scope for Azure AD Connect. Only three attributes are required by the user interface (accountEnabled, sourceAnchor and userPrincipalName).

When you use Attribute Filtering, attributes are filtered for all objects and object types in scope. However, some attributes are required for certain objects, like the cn attribute for groups. When multiple object types use this attribute and one object type requires it, then it should be included in the synchronization for all object types.

Attribute Filtering is not supported by Microsoft.
If you run into trouble, Microsoft will require you to synchronize the minimum number of attributes for your hybrid scenarios through Azure AD App Filtering, before offering help.

 

Getting Ready

To use Attribute Filtering to limit attributes for the objects in scope for Azure AD Connect, meet the following requirements:

System requirements

Make sure you run the latest generally available version of Azure AD Connect.

Privilege requirements

You’ll need to have local privileges on each Windows Server running Azure AD Connect. You’ll need to be member of the local ADSyncAdmins group, or a member of the custom local group you may have selected as the Azure AD Connect Administrators group, during the installation of Azure AD Connect.

On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.

Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.

Who to communicate to

As an Azure AD Connect admin, make sure you communicate to the people managing the on-premises Active Directory environment(s) and the people managing Azure AD for your organization.

 

How to do it

There are two scenarios in which you may use Azure AD App Filtering and Attribute Filtering to limit the objects in scope for Azure AD Connect:

  1. Existing Azure AD Connect configurations
  2. New Azure AD Connect configurations

Existing Azure AD Connect configurations

For existing Azure AD Connect configurations, there are two challenges associated with configuring Azure AD App Filtering and Attribute Filtering:

  • Attributes that have previously been synchronized from on-premises Active Directory to Azure AD remain present in Azure AD. They are not removed or defunct.
  • Attributes that have previously been synchronized are typically unmanageable in Azure AD.

Perform the below steps to reconfigure an existing Azure AD Connect installation with Azure AD App Filtering to limit the objects in scope for Azure AD Connect:

  • Log on to the Windows Server installation that hosts Azure AD Connect.
  • Click on the Azure AD Connect shortcut on the Desktop or the Start Menu.
    Alternatively, launch:C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe
  • On the Welcome to Azure AD Connect page, click Continue.
  • On the Additional tasks page, click on Customize synchronization options.
  • Click Next.
  • On the Connect to Azure AD page, sign in with an Azure AD-based account with Global Administrator or Company Administrator privileges.
    Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM)
  • On the Domain and OU filtering page, make the appropriate selections to limit the objects in scope for Azure AD Connect.
  • On the Optional features page, select the Azure AD app and attribute filtering option.
  • Click Next.

I Want To Restrict The List Of Applications on the Azure AD Apps page of Azure AD Connect (click for original screenshot)

  • On the subsequent Azure AD apps page, select one or more Azure AD Apps from the list of Office 365 ProPlus, Exchange Online, SharePoint Online, Lync Online, Azure RMS, Intune, Dynamics CRM and 3rd party application.
    Click Next.
  • Alternatively, select the option I want to restrict the list of applications. This will remove all selections. After clicking Next, the Azure AD attributes page allows you to select specific attributes if you also enable the I want to further limit the attributes exported to Azure AD option.

The View the list of attribute as comma-separates values link can be used to gain a list of attributes, which ones are exported, and which ones are mandatory.

  • Click Next on the Azure AD attributes page.
  • On the Ready to configure page, click Configure.
  • On the Configuration complete page, click Exit to exit the Azure AD Connect configuration wizard and have the synchronization schedule resume.

Perform the above steps on any Staging Mode Azure AD Connect installation you might have, too.

New Azure AD Connect configurations

Perform the below steps to configure a new Azure AD Connect installation with Azure AD App Filtering and Attribute Filtering, for instance with Pass-through Authentication:

  • Log on to the Windows Server installation that you intend to run Azure AD Connect.
    You might want to reconsider using a Domain Controller for this, as it is not the most brilliant of ideas.
  • Download Azure AD Connect.
  • Double-click AzureADConnect.msi.
  • On the Welcome screen, select the I agree to the license terms and privacy notice. option.
  • Click the Next button.
  • On the Express Settings screen, click the Customize button.

Install Required Components for Azure AD Connect (click for original screenshot)

  • On the Install required components screen, click Install.
  • On the User sign-in screen, select the Pass-through authentication option and the Enable single sign-on option.
  • Click Next.
  • On the Connect to Azure AD screen, enter the credentials of an account in Azure AD that has been assigned the global administrator role.
  • Click the Next button.
    Optionally, perform multi-factor authentication, and/or elevate the account to Global Administrator when using Azure AD Privileged Identity Management (PIM).
  • On the Connect your directories screen, click Add directory.
    The AD forest account pop-up window appears.
  • Sign in with an account that is a member of the Enterprise Admins group in the Active Directory forest.
  • Click OK.
  • Back in the Microsoft Azure Active Directory Connect windows, click Next.
  • On the Azure AD Sign-in configuration screen, click Next.
  • On the Domain and OU filtering page, make the appropriate selections to limit the objects in scope for Azure AD Connect.
  • Click Next.
  • On the Uniquely identifying your users screen, click Next.
  • On the Filter users and devices screen, click Next.
  • On the Optional features page, select the Azure AD app and
    attribute filtering
    option.
  • Click Next.
  • On the subsequent Azure AD apps page, select one or more Azure AD Apps from the list of Office 365 ProPlus, Exchange Online, SharePoint Online, Lync Online, Azure RMS, Intune, Dynamics CRM and 3rd party application. Click Next.
  • Alternatively, select the option I want to restrict the list of applications. This will remove all selections. After clicking Next, the Azure AD attributes page allows you to select specific attributes if you also enable the I want to further limit the attributes exported to Azure AD option. Click Next on the Azure AD attributes page.
  • On the Enable single sign-on screen, click the Enter credentials button.
    A Windows Security pop-up appears to enter the credentials for the specified forest. Enter the credentials of an account that is a member of the Domain Admins group for the Active Directory domain for which Seamless Single Sign-on will be configured, or an account that is a member of the Enterprise Admins group in the Active Directory forest, that contains the domain in which Seamless Single Sign-on will be configured.
  • Click OK.
  • Click Next.
  • Back in the Microsoft Azure Active Directory Connect windows, click Next.
  • On the Ready to configure screen, click Install.

Configuration Complete for Pass-through Configuation (click for original screenshot)

  • On the Configuration complete screen, click Exit to close the Microsoft Azure Active Directory Connect window and to start synchronization to Azure AD.

 

Concluding

The Azure AD apps and Azure AD attributes pages in the Azure AD Connect Configuration Wizard is only visible when an admin chooses to Customize the Azure AD Connect implementation, instead of using the easy ‘4-click’ Express Settings flow for the Azure AD Connect Configuration Wizard.

While Express may be fast, it might not be the best implementation scenario for most organizations. Especially, when you take into account that values for attributes that have been synchronized in the past will not be cleared and not be manageable from the Azure AD Portal, Azure AD PowerShell or Graph API, until you completely decommission your Azure AD Connect implementation(s) for the tenant…

Further reading

Azure AD Connect sync: Configure filtering
Azure AD Connect: Custom installation
Azure Active Directory Synchronization: Filtering, Part 1
Azure Active Directory Synchronization: Filtering, Part 2

Series Navigation

<< HOWTO: Use Domain and OU Filtering to limit the objects in scope for Azure AD ConnectHOWTO: Properly delegate Directory permissions to Azure AD Connect service accounts >>

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.