How to stop disabled user accounts from syncing with Azure AD Connect

February 28, 2016 Chris Spanougakis

 

Hello again,

I was experimenting these days using Azure AD Connect, the tool that let’s you synchronize your on-premises AD accounts to Azure AD. So I thought: what happens when you have some disabled user accounts in your on-premises AD environment? Do you really need them to synchronize? Probably not.

So we’ll see what you have to do in case you don’t want to bring up to Azure AD your disabled user accounts. First, you have to launch the Synchronization Editor Rules tool on your local computer, and create a new Inbound synchronization rule, using the settings that you see in the next picture. The “Connected System” should be your local domain or forest:

screen1

Click “Next” and in the Scoping filter dialog box select the Add Group button and then the Add Clause button. Select useraccountcontrol for the Attribute and then select the ISBITSET operator with a value of 2 (If you want to know what is really this value, take a look here: https://support.microsoft.com/en-us/kb/305144)

screen2

Click the Next button and skip the Join Rules dialog box. In the Transformations dialog box click the Add Transformation button and select from the list a Constant FlowType. Then you should select the cloudFiltered Target Attribute and the value should be True, as in the next picture:

screen3

You should now click the Add button to create the new rule. The new rule will be used after a Full Sync, so if you don’t force a sync you should wait for some minutes, or you could start a manual Full Sync using the Synchronization Service Manager:

screen4

If you do a Metaverse search, you can clearly see that when you check the properties of the disable user, there is an attribute called cloudfiltered, which is now set to true:

screen5

If you check your user accounts list in the Azure AD portal, you can see that the disabled user is not on the list, because it was not synchronized:

screen6

However, keep in mind that if you disable an on-premises user account, this account will be removed from the list of your Azure AD accounts, so think twice before disable it.