How to exclude OU from AAD Sync

In hybrid environments, the Entra ID Connect tool synchronizes all domains and OUs with Entra ID by default. If certain domains or OUs should not be synchronized, you can exclude them by unselecting these domains and OUs in the Entra ID Connect configuration.

Importance of managing synchronization scope

This configuration is particularly useful when running the Provision Hybrid Users runbook to prevent race conditions. Such conditions can occur when both Active Directory (AD) and Microsoft 365 are simultaneously creating users.

During the runbook execution:

Entra ID Connect may synchronize newly created AD users to Microsoft 365.
This can cause the 'AD Users | Create Office 365 Accounts (Cloud)' rule to fail with the error: An Office 365 user with the same userPrincipalName already exists in the tenant.

Recommended configuration

To prevent these errors, follow these steps:

Restrict the Initial Runbook Scope
Configure the runbook to create users in an OU that is not synchronized with Entra ID .
This ensures that users created in AD by the initial rule do not appear in Microsoft 365 before the AD Users | Create Office 365 Accounts (Cloud) rule is executed.

Relocate users to synchronized OUs

As the final step in the runbook, move the users to an OU that is synchronized with Entra ID

Use the Text file | DynamicAttributes™ Relocate AD Users rule to perform this relocation automatically.

By carefully managing synchronization settings and runbook scope, you can ensure seamless user provisioning in hybrid environments without encountering synchronization conflicts.