Microsoft Online Services Directory Synchronization tool allows you to keep your local Active Directory continuously synchronized with Office 365. This tool synchronizes user accounts and groups from AD and global address list (GAL) from Exchange Server environment. DirSync is mainly used in scenarios which you want to have rich co-existence and Single Sign-On for identity federation between your AD and Office 365.
The default configuration of DirSync synchronizes almost all types of users from AD to Office 365 environment which meets the requirements of most organizations. However in some scenarios administrators may want to apply filters on DirSync to stop synchronization of some certain objects from AD to Office 365 e.g. filter out disabled user accounts or service accounts etc.
Microsoft Online Services Directory Synchronization uses Microsoft Identity Integration Server (MIIS) for its service. This can be found in C:\Program Files\Microsoft Online Directory Sync\Syncbus\UIShell path on your DirSync server.
If you open miisclient.exe you will notice there are two agents which both were created when you first setup DirSync.
To filter out what is synchronized from AD to Office 365, go to Management Agents, right click SourceAD and click on Properties
On the Properties screen navigate to Configure Connector Filter. If your organization requires more filters on any object types, this is the place to apply them.
Lets have a look at the “user” object type: Under Data Source Object Type find “user” type.
You will see there are some existing filters already applied to user type.
To create more filters on users, select user object type and click New
To create a new filter you need to define the data source attribute and its condition(s). Below you can find a reference to LDAP attributes.
LDAP attributes reference for filtering:
CN - Common Name
CN=Guy Thomas. Actually, this LDAP attribute can be made up from givenName joined to SN.
Maps to 'Name' in the LDAP provider. Remember CN is a mandatory property. See also sAMAccountName.
What you see in Active Directory Users and Computers. Not to be confused with displayName on the Users property sheet.
displayName = Guy Thomas. If you script this property, be sure you understand which field you are configuring. DisplayName can be confused with CN or description.
DN - also distinguishedName
DN is simply the most important LDAP attribute.
CN=Jay Jamieson, OU= Newport,DC=cp,DC=com
Firstname also called Christian name
Home Folder: connect. Tricky to configure
name = Guy Thomas. Exactly the same as CN.
Defines the Active Directory Schema category. For example, objectCategory = Person
objectClass = User. Also used for Computer, organizationalUnit, even container. Important top level container.
Office! on the user's General property sheet
Roaming profile path: connect. Trick to set up
This is a mandatory property, sAMAccountName = guyt. The old NT 4.0 logon name, must be unique in the domain.
If you are using an LDAP provider 'Name' automatically maps to sAMAcountName and CN. The default value is same as CN, but can be given a different value.
SN = Thomas. This would be referred to as last name or surname.
Used to disable an account. A value of 514 disables the account, while 512 makes the account ready for logon.
userPrincipalName = guyt@CP.com Often abbreviated to UPN, and looks like an email address. Very useful for logging on especially in a large Forest. Note UPN must be unique in the forest.
Other Useful LDAP Attributes / Propeties
Country or Region
Company or organization name
Useful category to fill in and use for filtering
Home Phone number, (Lots more phone LDAPs)
l (Lower case L)
L = Location. City ( Maybe Office
Important, particularly for printers and computers.
Mobile Phone number
Usually, User, or Computer
Organizational unit. See also DN
Force users to change their passwords at next logon
Zip or post code
State, Province or County
First line of address
Enable (512) / disable account (514)