One common request we get is how to design DPC policies that apply only to objects that are on-prem, or objects that are in the cloud. For example, I might want a policy to assign all on-prem accounts a particular custom attribute.
One way is to create a real or virtual organizational unit, or a security group, that contains only the on-prem or cloud users, then use that OU or group as the scope of the policy.
Another is to select either the “Update Cloud User” or “Update On-Prem User” action in the policy. Each of those actions will only target the related user type, so if you have a scope and condition set in the policy that includes both on-prem and cloud users but select the “Update On-Prem User” action, only the on-prem users that the policy matches will be affected.
Note: if you create an OU or group for the scope, you still have to select the correct action type. The reason for creating the OU or group is to make clear what the scope is to both human users and auditing software.