Q: How can I control which organizational units are synchronized with Azure Active Directory using DirSync?
A: By default, DirSync will synchronize all applicable users per the rules defined for the user object; however, you might want to control what objects from your on-premises Active Directory are synchronized to Azure Active Directory/. This is actually easy to do; just make sure that you clear the option to synchronize now after you configure DirSync, to give you time to change the synchronization configuration as follows:
- Launch the Microsoft Identity Integration Server (MIIS) Forefront Identity Manager (FIM) graphical interface, which is installed as part of the DirSync installation. (DirSync is essentially using FIM behind the scenes.) This can be done by launching miisclient.exe, which is found in C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell.
- Select the Management Agents tab.
- Right-click the Active Directory Connector and select Properties.
- Select the Configure Directory Partitions node.
- Click the Containers button, which will prompt you for a credential. Replace the username and password with an administrator account and click OK.
- Select only the OUs you want to have synchronized, as the following figure shows, and click OK.
- Click OK in all the subsequent dialog boxes. Only the selected objects will now replicate.
- If you want to change the rules for which objects replicate, you can do so via the same connector properties; select Configure Connector Filter, then select the user object to display all the filter rules, which you can then customize (see the following figure).
You can now trigger a synchronization as documented "Force DirSync Sync."