Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-6839: Configuring Office 365 to exclude AD groups from synchronizing based on the domain name

App Access Service ,   App Gateway Service ,  

16 January,18 at 12:24 AM


Does Centrify provide a method to exclude Active Directory groups from provisioning to Office 365? What options or attributes can be used for filtering group object types to exclude objects from synchronizing?


The Centrify connector can provide support for both trusted and individual domain configurations. In a 2-way trust configuration, groups from all trusted domains will sync and administrators may wish to prevent provisioning actions. To exclude object types, the provisioning script within the Cloud Manager application can be modified to exclude objects based on a variety of variables such as name, location and domain to name a few available options.

To configure the provisioning script to exclude AD objects from synchronizing :
  1. In Cloud Manager, go to the Apps page and open your Office 365 application.
  2. On the Provisioning page, scroll to the Provisioning script section, and click the downward arrow in the heading.
  3. Modify the provisioning script to exclude an object from synchronization by calling the reject statement.
  4. For example, if the groups with in the mail attribute need to be excluded, the following script can be used:
if (isGroup()) {
   trace("CommonName=" + destination.CommonName);
   trace("DisplayName=" + destination.DisplayName);
   trace("mail=" + destination.Mail);
   var mail = String(destination.Mail).toLowerCase();
   if (mail.indexOf("")>=0)
   { reject("We are not syncing groups from domain"); }

Administrators can test the script filtering by configuring Office 365 provisioning for "Preview Mode" (optional) and performing a manual sync. After provisioning is complete and a report is generated, administrators can review the report for events that contain provisioningscript as displayed in the below example for excluding AD groups that contain a domain suffix of

    ProvisioningScript: CommonName=Office 365
    ProvisioningScript: DisplayName=Office 365
    ProvisioningScript: Provisioning script object was rejected. Reason: We are not syncing groups from domain

Note: if restriction based on the OU is needed instead, please see following KB article: KB-7482: Office 365 provisioning script to sync users and groups based on the OU they are in

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.