October 23, 2013
Posted by on
Who really wants to see all those pesky accounts and groups up in Office 365? Not me (and probably not you if you are reading this). I want to see accounts that I need to give licenses to.
Disclaimer – you can really mess up Office 365. Be careful!
- In Windows Explorer, navigate to “C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell7”.
- Double click miisclient.exe to open this window
- Click on “Management Agents” on the toolbar.
- This is where the magic happens. Right click the “Active Directory” agent and choose properties.
- Select “Configure Connector Filter”.
- Select “user” by scrolling down in the right pane to view the filters for this object.
- Add your filters!
These filters are for things you don’t want. As you can see in the image above, I am filtering for users that DO NOT contain “365” in the ExtensionAttribute15 (you can edit that in Active Directory). By using this, I will only get users that have it. Consider it a “negative filter”.
Now, before you work on this too long, let me give you some hints:
- You can’t filter users based on their group membership. It has to be an attribute that is in their user account (think about what you can see in Active Directory).
- You cannot see attributes that you put in by extending the schema, so you can’t filter on those either.
- If you don’t want to sync other objects, like groups, don’t uncheck the object types or delete the joins or anything else like that. It breaks the sync with Office 365. Instead filter all the objects out by choosing something that you know every object has. In this situation, I didn’t want to replicate the groups to O365, so I filtered for every group object that had a GUID:
- If you really mess something up, delete the Azure agent and the AD agent and re-run the DirSync configuration. It will recreate the agents in their vanilla form. If you messed up Office 365, this may or may not fix it.
That should get you going. Good luck!