One of your colleagues used Azure AD Connect to synchronize all Active Directory domain user and group accounts to your Azure Active Directory (Azure AD) tenant. As a result, authorized domain users have single sign-on (SSO) access to internally developed software-as-a-service (SaaS) apps that rely on Azure AD authentication.
You need to reconfigure directory synchronization to exclude domain service accounts and user identities that should not have access to the SaaS application.
What should you do?
You should re-run Azure AD Connect in order to perform organizational unit (OU) filtering and thereby customize the Active Directory identities that are replicated to Azure AD. You do not need to uninstall and reinstall Azure AD Connect to make changes to your identity synchronization topology. You just need to re-run the Azure AD Connect wizard, which offers the following options:
* Viewing current configuration
* Customizing synchronization properties
* Refreshing the directory schema
* Configuring staging mode
* Changing user sign-in
In this case, you would choose Customizing synchronization properties to configure OU filtering.
You should not run the Synchronization Rules Editor. This tool allows you to view and potentially remap Active Directory schema attributes with Azure AD properties.
You should not configure conditional access in Azure AD. Conditional access is an Azure AD security feature whereby you can define policy to restrict which Azure AD users are authorized to access cloud-based or on-premises applications. You need to restrict Active Directory accounts are synchronized to Azure AD.
You should not stop the synchronization service. Doing so does not address the issue of changing which Active Directory accounts are synchronized to Azure AD.