Scoped synchronization from Azure AD to your Azure AD DS managed domain
Updated: October 17, 2018
When you enable a new Azure Active Directory Domain Services (AD DS) managed domain, by default, all users and groups within the directory are synchronized into your managed domain. Many customers gave us feedback that this caused sync to take a long time and ended up causing many unnecessary users/groups to be synchronized into the managed domain. Often, customers want only those users who expect to work with apps secured by Azure AD DS to be synchronized into the managed domain.
You can now choose which sets of user accounts should be synchronized into a managed domain. You do this by selecting groups in Azure Active Directory whose members should be synchronized to the managed domain. The current experience is PowerShell based.
For more information, see the documentation.