vrijdag 14 oktober 2011

Filter unwanted users ( like service accounts ) from Office 365 with Dirsync

If you are using Office 365, you will probably notice that Dirsync syncs all users in AD.
Even the service accounts, and other test accounts that you don't want in Office 365.

There is a solution.
Dirsync is actually ILM ( FIM in 64 bit version ), so it uses Management agents for importing AD and exporting to Office 365.
A good thing, because we can use the ILM interface to create filters.

The thing you have to do is start the ILM tool, not the Dirsync tool.
The ILM tool can be found in : C:\program files\Microsoft Online Directory Sync\SYNCBUS\UIShell\miisclient.exe
If you open that file, the ILM interface will open.

To create filters for AD, we need to open the properties of the SourceAD Management Agent.

Then, click the "Configure Connector Filter" tab and select "user" as the Data Source Object Type.
There are already some filters present for the user object which are configured by default.

To add some filters you click the "new" button. In the example below, I configured a filter that excludes users with an accountname that starts with "svc_", because I don't want my service accounts to be created in Office 365. The possibility's with these filters are almost endless.

If Dirsync hasn't synced before, you do not have to follow the next steps.
When Dirsync starts its first import all the user objects present in AD, it will filter out the accounts that meet the filter's condition.

If the initial sync already took place, you need to follow the steps below.
First, we need to do a "Full Import and Sync" for the SourceAD connector.
You can do this by right clicking the SourceAD management agent and choose "Run".
This will open the configured run profiles and will let you choose one.
Choose "Full Import and Sync" and click OK.
This will take some time, depending on the number of objects in AD.

In the import and sync, the Management Agent notices that there are some objects in AD that have been filtered out, so called "Filtered Connections". The number of "Filtered Connections" in AD can be found in the Operations tab under Management Agent Operations.
In the screen below you can see that my filters in the Management Agent filters out 361 accounts.
These accounts will be deleted from Office 365 when the export to Office 365 completes.
( CAUTION, This will also delete the corresponding Mailbox )
If you click the number, you can verify the accounts that will be deleted.

When the Full import and Sync is completed, we need to do a Full Confirming Import and export to Office 365 because we want the changes to end up in Office 365.
Do this by right clicking the "TargetWebService" Management Agent en choosing "Run".
Choose the "Full Confirming Import" and click OK.

When the Full Confirming Import completes, we need to do an Export to Office 365.
Do this by following the above steps again, not choosing for the Confirming Import but the Export.
Click OK.
When the Export completes, the accounts and corresponding mailboxes will have been deleted from Office 365. You can confirm this on the management portal under the users tab ( http://portal.microsoftonline.com )
My configured filters deleted 359 accounts in Office 365 as can be seen below.

I hope this helps cleaning up your users in Office 365, it was pretty helpfull to us!
More Office 365 tips soon!

2 opmerkingen:

  1. please correspondence is done properly so that the company is not one of the data

  2. please correspondence is done properly so that the company is not one of the data