DirSync filtering and UPN domain suffixes

More and more customers these days have more than one domain used in their business. This may be for branding reasons, or simply because there are multiple companies within the one Active Directory domain or forest.

So when setting up Active Directory synchronisation with Microsoft Online Services / Office 365 / Windows Azure Active Directory a common approach is to set up filtering based on Organizational Units (OUs). However what happens when you’re working with an AD that has multiple OUs and you want to filter based on UPN domain suffix only?

The key thing to remember with DirSync is that any rule you configure under filtering needs to appear as the opposite of what you want.

For example if you have a customer with users currently configured with user@domain1.local, but you want their UPNs in Office 365 to use their SMTP address of user@domain1.com or user@domain2.com – how do you do this?

The answer is slightly confusing, but simple when you think about it.

For a staged rollout of Office 365 we want to synchronise users only when their UPN domain suffix has been updated to use either domain1.com or domain2.com. We don’t want to synchronise users who still use domain1.local as they will be created in Office 365 as user@domain1.onmicrosoft.com.

In DirSync or FIM, the Management Agent needs to be configured to filter the domains you don’t want to synchronise to Office 365, in this case anyone still using domain.local. Looking at the Management Agent Designer, click on Configure Connection Filter:

Select user:

Press the New button:

Scroll all the way to the bottom, select userPrincipalName, then under Operator select Contains and enter the domain you want to exclude (in this case .local):

Press OK, OK again, run a full import sync, wait for DirSync to do its thing (or force it if you can’t wait) – and presto you should now see the users you chose to sync with the UPNs you want – and not the ones you didn’t want!