By default the Auth Connector (BCCA) will forwards all the users and group names to the portal.
This article explains how to sync only selected group or user names with the cloud portal.
Web Security Service
By default, all the domains in the forest and all the groups and users within those domains are returned to the cloud portal for use in policy creation.
To configure a limited set of domains, groups, and users to be returned to the cloud portal use the following sections in “bcca.ini” file from the installation directory.
You could edit the bcca.ini file and add the Domain\User or Domain\Group names here. Both groups and users must have a domain name specified. There are a few stipulations to keep in mind:
Note: You cannot specify individual Organizational Units (OUs) in Active Directory to be synchronized. Since Auth Connector only looks at the down-level format of the username and group (DOMAIN\User or DOMAIN\Group).