Syncing Users with Specific UPN Suffix in Active Directory Domain
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage an Active Directory domain named contoso.local.
You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.
You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.
Solution: You use the Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
Instead use Synchronization Rules Editor to create a synchronization rule.
Note: Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).
Filtering can be configured using either the GUI (Synchronization Rules Editor) or PowerShell.
https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/The given scenario mentions that an organization is managing an on-premises Active Directory domain named contoso.local and has installed Azure AD Connect to synchronize the on-premises directory with an Azure AD tenant named contoso.com. However, no user accounts have been synchronized yet.
The organization now wants to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain get synchronized to Azure AD. This means that only those users who have an email address in the form of user@contoso.com will be synchronized to Azure AD, while users with a different UPN suffix will not be synchronized.
To achieve this, the solution proposed is to use the Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.
The AD DS Connector is the component responsible for connecting to the on-premises Active Directory and extracting user and group information for synchronization to Azure AD. By modifying the connector, it is possible to specify which user accounts should be synchronized based on specific criteria.
In this case, the solution involves modifying the AD DS Connector to include a filter that only synchronizes users with a UPN suffix of contoso.com. This can be achieved by creating a filtering rule that includes the condition "userPrincipalName ends with contoso.com".
Therefore, the proposed solution meets the goal of ensuring that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD. Hence, the correct answer is A. Yes.
