Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7482: Office 365 provisioning script to sync users and groups based on the OU they are in

Centrify Identity Service, App Edition ,  

21 September,16 at 08:40 PM

Applies to: Centrify Identity Service, App Edition and App Plus



Question:

Does Centrify provide a method to only provision to Office 365 users and groups that are in a specific OU?



Answer:

The Centrify connector can provide support for both trusted and individual domain configurations. In both case, administrators may wish to prevent provisioning actions. To exclude object types, the provisioning script within the Cloud Manager application can be modified to exclude objects based on a variety of variables such as name, location and domain to name a few available options.

To configure the provisioning script to only include AD users and groups that are in a specific OU:
  1. In Cloud Manager, go to the Apps page and open your Office 365 application.
  2. On the Provisioning page, scroll to the Provisioning script section, and click the downward arrow in the heading.
  3. Modify the provisioning script to exclude an object from synchronization by calling the reject statement.
  4. For example, if you want to only include users and groups that are in the OU "OUname" at the root, you could use the following script:
 
//for users:
trace('DisplayName=' + destination.DisplayName);

if (isPerson()) {
    destination.UsageLocation = "US";
var dnArray = getSourcePropertyByName("distinguishedname");
if (dnArray && dnArray.Length) {
var dn = String(dnArray[0]).toLowerCase();
trace("source.dn=" + dn);
if (dn.indexOf(",ou=OUname,dc=domain,dc=com")>=0) {
trace('User IS in the OU we want to synchronize to Office 365');
} else {
trace("User is NOT in the OU we want to synchronize to Office 365");
reject("User is NOT in the OU we want to synchronize to Office 365");
}
}
}


//for groups:
if (isGroup()) {
var dnArray = getSourcePropertyByName("distinguishedname");
if (dnArray && dnArray.Length) {
var dn = String(dnArray[0]).toLowerCase();
trace("source.dn=" + dn);
if (dn.indexOf(",ou=OUname,dc=domain,dc=com")>=0) {
trace('Group IS in the OU we want to synchronize to Office 365');
} else {
trace("Group is NOT in the OU we want to synchronize to Office 365");
reject("Group is NOT in the OU we want to synchronize to Office 365");
}
}
}


Administrators can test the script filtering by configuring Office 365 provisioning for "Preview Mode" (optional) and performing a manual sync. After provisioning is complete and a report is generated, administrators can review the
report for events that contain
ProvisioningScript as displayed in the below example for excluding users and groups that are not in the OU OUname:

User:
ProvisioningScript: DisplayName=newuser
ProvisioningScript: source.dn=cn=newuser,ou=mac,dc=domain,dc=com
ProvisioningScript: User is NOT in the OU we want to synchronize to Office 365
ProvisioningScript: Provisioning script object was rejected. Reason: User is NOT in the OU we want to synchronize to Office 365
SyncUserInternal: newuser@domain.com is user record sync rejected: User is NOT in the OU we want to synchronize to Office 365
Not syncing newuser@domain.com due to: User is NOT in the OU we want to synchronize to Office 365

Group:
ProvisioningScript: DisplayName=null
ProvisioningScript: source.dn=cn=grouptest,ou=mac,dc=domain,dc=com
ProvisioningScript: Group is NOT in the OU we want to synchronize to Office 365
ProvisioningScript: Provisioning script object was rejected. Reason: Group is NOT in the OU we want to synchronize to Office 365

 

Note: if restriction based on the domain is needed instead, please see following KB article: KB-6839: Configuring Office 365 to exclude AD groups from synchronizing based on the domain name

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles