Prevent Azure AD Sync for research.fabrikam.com

Prevent Azure AD Sync for research.fabrikam.com

Prev Question Next Question

Question

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your network contains an Active Directory forest named fabrikam.com. The forest contains two child domains named corp.fabrikam.com and research.fabrikam.com.

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.

You install Azure AD Connect and sync all the on-premises user accounts to the Azure AD tenant. You implement seamless single sign-on (SSO).

You plan to change the source of authority for all the user accounts in research.fabrikam.com to Azure AD.

You need to prevent research.fabrikam.com from resyncing to Azure AD.

Solution: You use the Azure AD Connect wizard.

Does this meet the goal?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B.

B

Instead you should customize the default synchronization rule.

Note: The Synchronization Service Manager UI is used to configure more advanced aspects of the sync engine and to see the operational aspects of the service.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-create-custom-sync-rule

The proposed solution of using the Azure AD Connect wizard to prevent research.fabrikam.com from resyncing to Azure AD does not meet the goal.

The Azure AD Connect wizard is used to configure synchronization between Active Directory and Azure AD, but it does not provide an option to prevent specific domains or objects from syncing. Therefore, the proposed solution is not a valid approach to meet the goal of preventing research.fabrikam.com from syncing to Azure AD.

To prevent research.fabrikam.com from syncing to Azure AD, you can use the Azure AD Connect sync rules. Specifically, you can create an exclusion rule that excludes the research.fabrikam.com domain from the sync process. To create this exclusion rule, you can follow these steps:

  1. Open the Azure AD Connect Synchronization Service Manager.
  2. In the left pane, click on "Connectors" and then select the Active Directory Domain Services connector.
  3. Click on "Configure Directory Partitions" in the Actions pane.
  4. Select the research.fabrikam.com domain partition, and then click on "Containers."
  5. Deselect the checkbox next to "CN=Users," and then click on OK.
  6. Click on "Add" to create a new sync rule.
  7. Give the sync rule a name, such as "Exclude research.fabrikam.com users."
  8. In the Scoping Filter section, select "Domain Name" and then enter "research.fabrikam.com."
  9. In the Transformation section, select "Do not sync this object."
  10. Save the sync rule.

With this exclusion rule in place, any changes to user accounts in the research.fabrikam.com domain will not be synced to Azure AD.

Therefore, the correct answer to this question is "No."

Prev Question Next Question