AADConnect Undocumented Filters

From time to time, you may find that you need to selectively filter out users going to Office 365.  The easiest way to do it is with a scoping filter.  We do have some documents on setting the cloudFiltered attribute in the metaverse to True, but that requires creating new rules.  And, if you're in an environment with tight change control, you might not be able to do it.

And this is where your favorite Undocumented Features blog comes in handy.

If you'll notice carefully, Inbound Synchronization Rules 100 (In from AD - User Join), 104 (In from AD - User Common from Exchange), 106 (In from AD - User Common), 110 (In from AD - Group Join), 111 (In from AD - Group Exchange), and 112 (In from AD - Group Common) all have a built-in scoping filter.

blog

In the case of the user rules:

 adminDescription NOTSTARTSWITH User_

and for groups (wait for it...):

 adminDescription NOTSTARTSWITH Group_

That's right. You can crack open ADUC (be sure to flip on Advanced Features before you navigate anywhere, since that's something we haven't taken the time to fix in the last 17 years), find a user (well, really navigate to them in the tree, because that is something ELSE we haven't taken time to fix in the last 17 years), and add User_whatever to the adminDescription attribute.  Or Group_ whatever for a group.  I'm sure you could have figured that out.

And the object will be filtered out on the next sync cycle.