Ensure Only Users with UPN Suffix of contoso.com Sync to Azure AD | Exam AZ-303

Configure Azure AD Connect to Sync Users with UPN Suffix of contoso.com | Exam AZ-303

Prev Question Next Question

Question

You manage an Active Directory domain named contoso.local.

You install Azure AD Connect and connect to an Azure Active Directory (Azure AD) tenant named contoso.com without syncing any accounts.

You need to ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD.

What should you do?

Answers

A. Use the Synchronization Service Manager to modify the Metaverse Designer tab.

B. Use Azure AD Connect to customize the synchronization options.

C. Use the Synchronization Rules Editor to create a synchronization rule.

D. Use Synchronization Service Manager to modify the Active Directory Domain Services (AD DS) Connector.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Filtering what objects are synced to Azure AD is a common request and there are many instances where filtering by OU just doesn't cut it. One option is to filter users by their UPN suffix so that only users with the public FQDN as their UPN suffix are synced to Azure AD (e.g., john.doe@acme.com would be synced while jane.doe@internal.acme.com would not).

Filtering can be configured using either the GUI or PowerShell.

Through GUI:

Using The Synchronization Rules Editor

1. Open the Synchronization Rules Editor on the server where Azure AD Connect is installed.

2. Click the Add new rule button on the View and manage your synchronization rules window.

3. Fill out the appropriate fields on the Description tab and click Next >.

4. On the Scoping filter tab, click Add group, then Add clause, add a userPrincipalName attribute filter, and click Next >.

Attribute: userPrincipalName -

Operator: ENDSWITH -

Value: Your internal UPN suffix prefixed with @ (e.g., @internal.acme.com). Users with this UPN suffix will NOT be synced with Office 365.

https://www.sidekicktech.com/blog/field-notes/2019/upn-suffix-filtering-ad-connect/

The correct answer is C. Use the Synchronization Rules Editor to create a synchronization rule.

Explanation: Azure AD Connect is a tool used to synchronize identities between an on-premises Active Directory and Azure Active Directory. To ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain sync to Azure AD, we need to create a synchronization rule in the Synchronization Rules Editor.

Here are the steps to follow:

Open the Azure AD Connect Synchronization Rules Editor.
Create a new inbound synchronization rule.
Name the rule something like "Filter by UPN suffix".
In the Scoping Filter section, choose "User" as the object type.
Add a filter that includes only users who have a UPN suffix of contoso.com. You can do this by adding a new condition that checks for the userPrincipalName attribute and uses the endsWith operator to check for the contoso.com domain.
In the Transformation section, set the source anchor attribute to the objectGUID attribute.
Save the new synchronization rule.

This synchronization rule will ensure that only users who have a UPN suffix of contoso.com in the contoso.local domain will sync to Azure AD. Any users who do not meet this criteria will not be synced to Azure AD.

Prev Question Next Question