Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6839: Configuring Office 365 to exclude AD groups from synchronizing based on the domain name

Centrify Identity Service, App Edition ,  

31 May,16 at 04:54 PM

Applies to: Centrify Identity Service



Question:

Does Centrify provide a method to exclude Active Directory groups from provisioning to Office 365? What
options or attributes can be used for filtering group object types to exclude objects from synchronizing?


Answer:

The Centrify connector can provide support for both trusted and individual domain configurations. In a 2-way
trust configuration, groups from all trusted domains will sync and administrators may wish to prevent provisioning
actions. To exclude object types, the provisioning script within the Cloud Manager application can be modified to
exclude objects based on a variety of variables such as name, location and domain to name a few available options.

To configure the provisioning script to exclude AD objects from synchronizing :
  1. In Cloud Manager, go to the Apps page and open your Office 365 application.
  2. On the Provisioning page, scroll to the Provisioning script section, and click the downward arrow in the heading.
  3. Modify the provisioning script to exclude an object from synchronization by calling the reject statement.
  4. For example, if you want to exclude groups with contoso.com in the mail attribute, you could use the following script:
 
if (isGroup()) {
   trace("CommonName=" + destination.CommonName);
   trace("DisplayName=" + destination.DisplayName);
   trace("mail=" + destination.Mail);
   var mail = String(destination.Mail).toLowerCase();
   if (mail.indexOf("@contoso.com")>=0)
   { reject("We are not syncing groups from domain contoso.com");
}
}


Administrators can test the script filtering by configuring Office 365 provisioning for "Preview Mode" (optional) and
performing a manual sync. After provisioning is complete and a report is generated, administrators can review the
report for events that contain provisioningscript as displayed in the below example for excluding AD groups that
contain a domain suffix of  contoso.com):


    ProvisioningScript: CommonName=Office 365
    ProvisioningScript: DisplayName=Office 365
    ProvisioningScript: mail=office365@contoso.com
    ProvisioningScript: Provisioning script object was rejected. Reason: We are not syncing groups from domain contoso.com

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.