Office 365 Dynamic Distribution Groups Filtered by On-Premise Organization Unit (OU).


I have been asked a number of times if it is possible to create Dynamic Distribution Groups in Office 365 filtered by the On-Premise Organization Unit (OU). I recently discovered a method to achieve this with some collaboration with a couple of colleagues.

Essentially we need to create an inbound synchronization rule in AADConnect to send the Distinguished Name from On-Premise Active Directory up to Office 365 as custom attributes.

First and foremost, update your AADConnect version! See https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-version-history.

Steps to create the rule

From the AADConnect server click start, and type sync you should see the 'Synchronization Rules Editor'. We will use this tool to create the rules.

Click add new rule, complete the first page as below.

 

Scoping filters left blank.

Join rules also left blank.

The real work happens under Transformations.

In the first expression I am synchronising the full Distinguished Name from On-Premise AD to extensionAttribute10. This is customAttribute10 in Exchange Online.

CStr([dn])

In the second expression I am synchronising the 2nd component in the Distinguished Name from On-Premise to extensionAttribute11. This is customAttribute11 in Exchange Online.

DNComponent(CRef([dn]),2)

Need something else maybe? Use https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-functions-reference.

There is no need to do both, I am just showing the possibilities. Perhaps you only need the the second expression example to create your DDG.

My observations after making these changes

After changes to the rules, the new values are not seen in the custom attributes until:

  1. A value on the individual object is updated and a delta sync runs or
  2. An initial sync is run.

So make sure to run a full sync after creating a rule. Start-ADSyncSyncCycle -PolicyType initial

Once an initial sync is run after the rule creation, delta syncs send updates to the OU path just fine.

Results on a sample Exchange Online object:

I am now ready to setup a Dynamic Distribution group based off of CustomAttribute11 with a value of 'nintendo'. I put the full OU in CustomAttribute10 in case there is a use case out there where this is needed.

I tested all this by creating a Dynamic Distribution Group with an additional rule of customAttribute11 as 'nintendo', note my deliberate omission of the capitalisation just for the sake of testing if this is important, it is not. Sent an email to the SMTP address of the DDG and confirmed mail delivery to the individuals in the DDG. Perfect!

Comments (0)

Skip to main content