Office 365 Dynamic Distribution Groups Filtered by On-Premise Organization Unit (OU).


I have been asked a number of times if it is possible to create Dynamic Distribution Groups in Office 365 filtered by the On-Premise Organization Unit (OU). I recently discovered a method to achieve this with some collaboration with a couple of colleagues.

Essentially we need to create an inbound synchronization rule in AADConnect to send the Distinguished Name from On-Premise Active Directory up to Office 365 as custom attributes.

First and foremost, update your AADConnect version! See https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-version-history.

August 2018 update

Steps to create the rule

From the AADConnect server click start, and type sync you should see the 'Synchronization Rules Editor'. We will use this tool to create the rules.

Click add new rule, complete the first page as below. Pay close attention to these settings, Link Type for example defaults to Provision which is incorrect this in scenario.

 

Scoping filters left blank.

Join rules also left blank.

The real work happens under Transformations.

In the first expression I am synchronising the full Distinguished Name from On-Premise AD to extensionAttribute10. This is customAttribute10 in Exchange Online.

CStr([dn])

In the second expression I am synchronising the 2nd component in the Distinguished Name from On-Premise to extensionAttribute11. This is customAttribute11 in Exchange Online.

DNComponent(CRef([dn]),2)

Need something else maybe? Use https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-functions-reference.

There is no need to do both, I am just showing the possibilities. Perhaps you only need the the second expression example to create your DDG.

My observations after making these changes

After changes to the rules, the new values are not seen in the custom attributes until:

  1. A value on the individual object is updated and a delta sync runs or
  2. An initial sync is run.

So make sure to run a full sync after creating a rule. Start-ADSyncSyncCycle -PolicyType initial

Once an initial sync is run after the rule creation, delta syncs send updates to the OU path just fine.

Results on a sample Exchange Online object:

I am now ready to setup a Dynamic Distribution group based off of CustomAttribute11 with a value of 'nintendo'. I put the full OU in CustomAttribute10 in case there is a use case out there where this is needed.

I tested all this by creating a Dynamic Distribution Group with an additional rule of customAttribute11 as 'nintendo', note my deliberate omission of the capitalisation just for the sake of testing if this is important, it is not. Sent an email to the SMTP address of the DDG and confirmed mail delivery to the individuals in the DDG. Perfect!

August 2018 Update

Since first writing this blog article a little over a year ago I have completely rebuilt my lab environment and did not set this configuration back up. I now have a lab with over 75,000 sync'ed objects so have good basis to test this again.

I ran through the steps as originally documented with no issues. As I previously noted only objects which have attributes updated post changes will have the On-Premise OU attributes updated / sync'ed to the cloud on the next delta sync. I tested this out by updating several address type fields on a single account and running a delta sync. Only the object I updated out of ~77,000 objects updated in the delta sync. From this test I can confirm the necessity to run an initial sync so all sync'ed objects get the On-Premise OU sync'ed to custom attributes in the cloud. You then have a consistent data set in the cloud to create Dynamic Distribution Groups from.

Running an initial sync after these changes on slightly over 75,000 objects took just under 4 hours to complete in my lab environment.

Comments (15)

  1. sos says:

    como hago el filtro si tengo varias OU con el mismo nombre

    How do I filter if I have several OU with the same name?

    1. JeKnight says:

      En este caso usted debe utilizar el ejemplo de CustomAttribute10 en este post del blog. Cuando quieras añadir las normas del grupo de distribución dinámico una cadena que es única para cada unidad de organización. En mi ejemplo “OU=Nintendo,OU-Synchronised,OU=Office 365” es único ya que se trata de una buena parte del árbol de la unidad de organización de los objetos.

      For this scenario you should use the CustomAttribute10 example in this blog post. When you come to add the Dynamic Distribution Group rules add a string which is unique for each organisation unit. In my example “OU=Nintendo,OU-Synchronised,OU=Office 365” is unique since this is a good chunk of the Organisation Unit tree of those objects.

  2. studerje says:

    When I try to set the transforms up and click the final ‘add’ I get an error stating, “Object reference not set to an instance of an object”. any suggestions?

    1. JeKnight says:

      When running through this and documenting the process I have run into a couple of warnings which stopped me at the same point you are at. Two things come to mind to check:
      1. Update AADConnect to the latest version in case this is an issue for you.
      2. Pay close attention to the settings on the first screen. The settings in the drop down menus tripped me up as I was testing and not completely validating everything. Link Type for example defaults to Provision, where we actually need Join instead.

      1. studerje says:

        Sorry, I should have clarified that I followed the steps as outlined. I updated AADConnect to the latest version and verified the steps.
        I just tried it again and triple checked all settings and still get the “Object reference not set to an instance of an object” message. we are running in a hybrid environment, could that be the issue?

  3. Peter Lane says:

    For connected system, it appears you are selecting your local AD domain (8bit.land) — not your O365 tenant domain. Is this correct?

    1. JeKnight says:

      Hi Peter,

      Yes that is correct.

      Thanks,

      Jeremy.

  4. Malachi says:

    Thanks for this post, it helped a ton! I’m wondering how I could use part of the string you set up for CustomAttribute10 to set up a DDL. For instance in your string, if I only wanted to use the ‘OU=Synchronised’ part of the string to set one up, would I use wildcard characters on either side of it to denote that the attribute should contain that OU?

    1. JeKnight says:

      Hi,

      Looking back at my sample screenshots the data in the custom attribute field in Exchange Online ends up as the word ‘Synchronised’. So that is what you put into the logic for the DDL membership.

      Thanks,

      Jeremy.

  5. Jesse Slocum says:

    JeKnight – I am trying to map the “Office” (physicalDeliveryOfficeName) on-prem exchange 2010 to custom attribute 10 O365.

    Are you able to assist?

    1. JeKnight says:

      Hi Jesse,

      Apologies I am unable to directly assist you with setting this up. However, if you follow through the process I think you will be fine taking the On-Premise field you mention and sync’ing that into the cloud.

      Thanks,

      Jeremy.

      1. Jesse Slocum says:

        Sorry for my ignorance but the issue is that I do not know what to put into the “Source” to get it to update. Your example is the DN where I need the source code for Office.

        “In the first expression I am synchronising the full Distinguished Name from On-Premise AD to extensionAttribute10. This is customAttribute10 in Exchange Online.

        CStr([dn])

        In the second expression I am synchronising the 2nd component in the Distinguished Name from On-Premise to extensionAttribute11. This is customAttribute11 in Exchange Online.

        DNComponent(CRef([dn]),2)”

        Instead of CStr([dn]) or DNComponent(CRef([dn]),2)… what do I need to use instead? Do you have a reference table of the acceptable source codes?

        1. JeKnight says:

          The original source field was CStr([dn])
          I created a rule with this as the source and on running the initial sync I have the data sync’ing into the cloud: CStr([physicalDeliveryOfficeName])

          1. Jesse Slocum says:

            You are the best! Thank you!

            Note for others: If in the “Target Attribute” you see your selection is “extension_extensionAttribute##” update it to the selection to be exactly “extensionAttribute##”. I didn’t see the others at first and was wondering why it wasn’t working.

          2. JeKnight says:

            Exellent, glad this worked out for you!

            Jeremy.

Skip to main content