Review Azure AD Connect Synchronisation Scope

As part of your regular security and operations review, it is important to check and verify the configuration of Azure AD Connect.  Ensuring the OS and Azure AD Connect are up to date is one aspect.  In this post we want to look at the scope of objects which connect is synchronising.  This is valuable for a few reasons. For example:

  • Many folks have installed Azure AD Connect did configured any filters
  • New OUs may have been created and we need to determine if they are to be synchronised
  • Objects may have been move in the directory taking them in/out of synchronisation


Potentially such changes will allow on-premises objects to be represented in the tenant, which can lead to unwanted security risks should those on-premises objects be compromised.  Some objects should also not be synchronised for additional operational reasons.


As a side note, how Does Azure AD Connect Deal With New OUs?


New OU

Well, let’s have an example.  In the below screenshot you can see the Accounts OU.  It is synchronised.

Initial Azure AD Connect OU Filters

Let’s then create a new OU next to it, and see what happens inside of Connect.

New OU Created In AD


And if we look at the filtering options set in Azure AD Connect after AD has synchronised the newly create OU is visible but is NOT in scope of synchronisation.  As expected a the user object etc. inside this new OU are not visible in Azure AD as Connect did not synchronise them.

Azure AD Connect - New OU is Not Synchronised


OK, let's take quickly step through reviewing the synchronisation scope.

Run Azure AD Connect Customize Synchronization Options

Once we have complete the review of the directory, the steps to update the synchronisation options are straightforward.  We will need to run the Customize Synchronization option of Azure AD Connect.  This can be access via the shortcut on the desktop or by running

"C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe"

We require access to Global Admin credentials, or the new Hybrid Identity Administrator role to complete this task.

After starting up AD Connect, select the Customize Synchronization option.

Run AD Connect To Update Synchronisation Options

We will then be prompted for tenant and on-premises administrative credentials.

After authenticating, you can chose Domain and OU filtering options.

AD Connect - Select Directories

Once the directories have been selected, we can move onto selecting the particular OUs.


AD Connect - Select OUs to Synchronise and Those to Ignore

Once the necessary selections have been made, clicking next takes us to the optional features.  The options below were already selected, and are not to be changed at this time.


Since group write back was previously enabled, its configuration is displayed.


Then we are off to the races, and AD Connect will update the configuration.


When the configuration is updated, you have the option to start the synchronisation process automatically.

If you do not want to start automatically, then disable the option.  In some cases, we may wish to run further verification prior to starting the sync.




Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *