With Office 365 being adapted for larger companies, most of them only want to synchronize the accounts from a certain OU. This is now possible with the newest version of Directory Synchronization. Microsoft released a new 64bit version of DirSync back in November of 2011. The new version is based on Forefront Identity Manager 2010 and this is the product that will allow us to filter OUs. Generally when I setup companies, I will create an OU in Active Directory where all the accounts being used by Office 365 will reside. This way I can filter out all the other OUs and only synchronize the ones identified as being cloud accounts. This was a feature that was lacking in previous versions of Directory Synchronization and it’s a welcome addition to most of my customers.
The best case scenario is to implement filtering before it synchronizes with Office 365 for the first time. When prompted at the end of the Microsoft Online Services Directory Synchronization Configuration setup, uncheck the “Synchronize Directories Now” before you click Finish
If you already have Microsoft Online Services Directory Synchronization installed, you simply uninstall the previous version and install the newest version to get this feature. You will be able to setup filtering, but you will have to manually clear all the old non active accounts from Office 365.
Open FIM 2010 – Depending on the version installed, use one of the paths below.
C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
or
C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
Click Management Agents
Right click SourceAD or Active Directory Connector
Click Properties
Select Configure Directory Partitions
Click the Containers… button
Enter the Directory Sync Service Account or another domain account with the correct permissions, when prompted (clear the MSOL_AD_Sync account)
Click OK
Select the OUs that you want to synchronize with Office 365.
Click OK
Wait for an automatic synchronization to run or force a manual synchronization
Now you see only the users in the Office365SupportLab.com OU are synchronized with Office 365.
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Kelsey Epps
Office 365 MVP
Excellent article 😉
Thanks Christopher.
This is great, but I did this and it did not change anything on my office 365 directory, I cannot even delete the ones I do not want. They are all still active and in my account.
You’ll have to use DirSync to remove the unwanted ones. I haven’t had the time to create a blog post on that, so use this one.
http://blog.msgeneral.nl/2011/10/how-to-delete-user-from-office-365-that.html
Loving you for this article.. whole series..!!!
Pingback: Office 365 DirSync experiences: synced OUs and user deletion | gshaw0
Pingback: Can you exclude an OU in 365 Dirsync
Pingback: Setting up AD FS and Enabling Single Sign-On to the NEW Office 365 | Office 365 Technical Support Blog
This was exactly what I was looking for! We are going to integrate our domain with about 300 users and when I started to read the howto’s on technet I felt like crying.
This looks promising and I think it will get me through all the way
Great post. I followed these instructions to uncheck our “disabled users” OU from syncing to the Cloud. However, the users in that OU are still syncing to the cloud. Is there an additional step I’m missing to make these changes take effect? It seems the unchecked OU’s that were set using the configuration wizard are working, but the changes I made are not.
You will need to remove the objects. See this post.
https://social.technet.microsoft.com/Forums/azure/en-US/e9cafccd-cea2-44af-b36c-13eaa0454c3c/dirsync-not-removing-nonsyncd-users?forum=windowsazureaditpro
Thank you. I followed the steps in that link and it removed those users. I appreciate your followup. These are the steps from that link that I followed:
From the Synchronization Service Manager
Run a Full Import Full Sync from your AD connector
Run a Full Import Full Sync from your Windows Azure Connector THEN
Run an EXPORT on the Windows Azure Connector, this will process the changes as delete requests to Office 365.
Perfect. Thanks for replying back and letting me know how it turned out.
What’s the minimum set of objects I must sync to support Office365 mailbox moves? I can see that users and groups will need to be ticked, but do I need to include Computers, DC’s, or any other non-obvious ones?
Users and groups only.