Skip to content

Windows Intune: Selective Active Directory Synchronization

In the past months I was glad to had the opportunity to accompany a number of customers with a Windows Intune proof of concept, primarily focused on the Mobile Device Management features introduced by Wave-D of Windows Intune.

The Proof-of-Concept’s (PoC) for Windows Intune showcase the benefits and features of using the Windows Intune service to manage mobile devices in IT environment through the cloud or in a hybrid scenario.

During the POC we had a challenge how to introduce selective synchronization of user objects between on-premise Active Directory and Windows Azure Active Directory. This to achieve to synchronize only those user accounts which are Windows Intune ‘enabled’.


Windows Intune Infrastructure overview.


Before continuing how to configure selective Active Directory Synchronization some background of how Active Directory synchronization between on-premise and off-premise take place.


Although you can manage your authentication entirely in Windows Azure Active Directory (WAAD), you can also synchronize WAAD with an existing on-premise Active Directory environment using the Active Directory directory synchronization (DirSync) tool.

DirSync creates a read-only connection from your on-premise Active Directory to WAAD and ensures that the cloud-based directory is always synchronized with the on-premise directory. If you make a change in your on-premise Active Directory, the change is synchronized to the cloud.

On-premise account passwords are not transferred to the cloud. Users will be assigned a new temporary password. To avoid password confusion, it is recommended that you consider deploying single sign-on (SSO) with Active Directory Federation Services (AD FS). This configuration enables users to access on-premise and cloud services by using only corporate credentials.

Selective Synchronization

My colleague Mark Blok pointed me to an interesting blog post from how to configure select Active Directory synchronization for Office 365. Until now, one of the challenges of DirSync is that it would sync your entire AD to Windows Intune/WAAD. This means that if you had 10,000 AD users and only wanted 500 in Windows Intune, you would have all 10,000 users listed in Windows Intune.

DirSync is simply a pre-configured Microsoft Identity Integration Server [MIIS] installation specific for Office 365, Windows Intune integration. The MIIS Client located at:

  • 32-bit: %SystemDrive%\Program Files\Microsoft Online Directory Sync\SYNCBUS\UIShell

  • 64-bit: %SystemDrive%\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell

There are 3 filtering options that can be applied to DirSync:

  • Organizational Units based, which allows you to select which OUs are to be synced to the cloud;

  • Domain based, allowing you to select which domains are synchronized to the cloud;

  • User attribute based, enabling you to control which objects shouldn’t be synchronized to the cloud based on their AD attributes.

This blog post explains how to filter based on Organizational Units as this the most common used scenario for Active Directory user object filtering.

Organizational Units Based Filtering
  • Log on to the computer that is running DirSync by using an account that is a member of the MIISAdmins local group

  • Open MIIS by running miisclient.exe

  • In Synchronization Service Manager, click Management Agents and then double-click SourceAD


  • Click Configure Directory Partitions and then click Containers


  • When prompted, enter domain credentials for your on-premises domain and then click OK
  • When prompted, enter domain credentials for your on-premises domain and then click OK


  • If you click in Advanced… you will be able to further control which OUs to include and exclude


  • Click OK three times

  • On the Management Agent tab, right-click SourceAD, click Run, click Full Import Full Sync and then click OK to perform a full sync


    • Once finished, you can check the results at the bottom left corner of the window. 283 objects are removed based on the configured filter.


    If you have additional demands how to filter your Active Directory synchronization objects you can use domain or User attribute based filtering as well. The process how to configure is described here.



  • Categories


    2 thoughts on “Windows Intune: Selective Active Directory Synchronization Leave a comment

    1. Hi Donny, just wondering how do you build a PoC for a customer. Do you have your own ‘runbook’ or does Microsoft supply a document with information?
      In addition: do you require the customer to have a Test environment, or do you install Intune (SCCM integration etc.) in the production environment? Thanks!

      Btw: there’s a new DirSync with password sync available. Sounds pretty cool:
      (but I guess you already knew ;-) )

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    %d bloggers like this: