Published: February 9, 2016

Applies to: Cayosoft Administrator 7.3.0 and earlier

Summary: A newly created Exchange Online Distribution Group may take up to 20 minutes to become fully available within Office 365 after creation. During this time, Azure AD Connect may not be able to see the group, and if Azure AD Connect (Dirsync) runs before the group is available, it may mistakenly believe a new group should be created causing a duplicate group to exist.

The following procedure will configure Azure AD Connect and Cayosoft Administrator to delay the synchronization of groups until they can be seen properly by Azure AD Connect.

What is an Azure AD Connect Filter?

By setting "filtering", you can control which objects appear in Azure Active Directory (Azure AD) from your on-premises directory.  In some cases, it may be desirable to delay when an object is synchronized so that  Microsoft Exchange Online and Azure Active Directory have time to reconcile new Distribution Group objects before those objects are synced from On-premise Active Directory.

Configure Cayosoft Administrator

Select the Attribute used to set the Delay Flag

1. In the Cayosoft Administrator Console navigate to Home > Configuration > Web Portal > Web Actions.
2. Select the New Distribution Group Action.
3. Expand Action > More Options and locate the Delay sync attribute flag field.
4. In the Delay Sync Attribute Flag attribute select one of the ExtensionAttribute that is not being used in your environment. (In this example, we verified that extensionAttribute1 was not being used, so we will dedicate this extension attribute for use to set a sync/nosync flag.)
   
5. Save the rule.

Scheduling the Rule that will Clear the Filter Flag

1. In the Cayosoft Administrator Console navigate to Cayosoft Administrator > Rules > Cayosoft Built-in (Pre-configured) > AD Object | Clear Delay Sync Flag
2. Set the Delay sync attribute flag field to the same ExtensionAtribute set on the New Distribution Group web action above.
3. Click the Enforce/Schedule Check-box and set the schedule so the rule runs no less than every 45 minutes.
4. Save the rule.

Configure Azure AD Connect

NOTE: The following steps document how to configure Azure AD Connect to filter objects with a flag set to NOSYNC. If you have a newer or older version of Azure AD Connect (Formerly DirSync) the steps may be different.

Azure AD Connect Version: 1.1.486.0
Date Published by Microsoft: 4/14/2017

Configure Azure AD Connect (DirSync) tool to filter AD objects when the ExtensionAttribute used above has the flag set.

1. Open Synchronization Rules Editor on the machine where Microsoft Azure AD Connect is installed.
2. Select In from AD - Group Join sync rule and click Edit.
3. When the message “Microsoft recommends disable the default rule, clone it and edit the cloned rule.” appears click Yes to create a copy that can be edited.
   
4. In the Edit inbound synchronization rule:
   
   • Description tab: set Precedence to any positive number. Note: The rules editor can throw an SQL deadlock error if you try to set the same precedence value as an already existing synchronization rule. So use unique numbers for each rule.
     
   • On the Scoping Filter tab: click Add clause and set filter as it shown in the picture below (use the same ExtensionAtribute1 used to configure the Cayosoft Administrator New Distribution Group Rule in the previous section above.)
     
   • Click Save
5. Repeat steps 1-5 above, to clone both the In from AD- Group Exchange and In from AD - Group Common.
6. Close the Synchronization Rules Editor.