As organizations adopt a cloud-first strategy, reducing reliance on on-premises Active Directory becomes essential. Microsoft Entra Group Source of Authority (SOA) conversion enables IT teams to shift group management from AD DS to the cloud, simplifying governance and minimizing hybrid complexity. By converting the source of authority for groups to Microsoft Entra ID, organizations can manage memberships natively in the cloud, support advanced governance scenarios, and accelerate identity modernization while maintaining security and continuity.
As organizations modernize their identity infrastructure, Microsoft Entra’s Group Source of Authority (SOA) Conversion feature enables a granular migration of group management from on-premises AD to Microsoft Entra ID without disabling sync or rearchitecting the entire directory.
What Is Group Source of Authority?
Group SOA defines where a group object is mastered either in on-prem AD or in Entra ID. With SOA conversion, administrators can selectively convert AD-synced groups into cloud-native groups, making them editable and governable directly in Entra ID.
Permissions Required
To perform SOA conversion, the following Microsoft Entra roles and Graph API permissions are required:
- Hybrid Administrator: Required to call Microsoft Graph APIs to read and update SOA of groups.
- Application Administrator or Cloud Application Administrator: Required to grant user consent to the app or Graph Explorer.
Graph API Permission Scope:
- Group-OnPremisesSyncBehavior.ReadWrite.All must be granted to the app calling the onPremisesSyncBehavior endpoint.
Prerequisites
Before initiating SOA conversion, ensure the following:
Licensing
- Microsoft Entra Free or Basic license is sufficient.
Sync Clients
- Microsoft Entra Connect Sync: Minimum version 2.5.76.0
- Microsoft Entra Cloud Sync: Minimum version 1.1.1370.0
Group Eligibility
- Groups must not be mail-enabled or tied to Exchange on-premises (DLs or MESGs).
- If provisioning back to AD is planned, change group scope to Universal.
How to Convert Group SOA from AD to Entra
Here’s a simplified step-by-step guide:
- Identify Target Groups
- Use Entra Admin Center or Graph Explorer to list synced groups.
- Confirm they are not Exchange-dependent.
- Grant Permissions
- Use Graph Explorer or your app registration to grant Group-OnPremisesSyncBehavior.ReadWrite.All.
- Execute SOA Conversion
If we see Group1, which is in scope of conversion is synchronized from on-prem.
Execute the below from Graph Explorer to convert “Group1” to cloud managed
PATCH https://graph.microsoft.com/beta/groups/{group-id}/OnPremisesSyncbehavior
{
"isCloudManaged": true
}
We can verify the change by executing below query on Graph API Explorer
This marks the group as cloud-managed. AD sync will stop honoring changes to this group.
- Validate Conversion
- Confirm blockOnPremisesSync = true in the Entra Admin Center.
- Use audit logs to verify the change.
- Apply Governance
- Apply lifecycle policies, access reviews, and provisioning rules using Entra ID Governance.
Use Cases: Migrating from On-Prem to Cloud
Use Case 1: Retiring Legacy AD Groups
Scenario: A customer has migrated all mailboxes to Exchange Online and no longer needs certain AD groups.
Solution: Convert those groups to cloud-native Entra ID groups and delete them from AD, reducing footprint and simplifying governance.
Use Case 2: Governing On-Prem Apps from the Cloud
Scenario: A customer uses AD security groups to secure on-prem apps (e.g., Kerberos-based apps).
Solution: Convert the group SOA to Entra ID, apply governance policies, and use Group Provision to AD to sync cloud-managed groups back to AD.
Use Case 3: Migrating DLs and MESGs to Cloud
Scenario: A customer wants to migrate all distribution lists and mail-enabled security groups to the cloud.
Solution: Convert SOA to Entra ID, recreate mail-enabled groups in Exchange Online, and decommission AD-based mail groups.
Use Case 4: Enabling Access Reviews
Scenario: A federal customer wants to run access reviews on group memberships but the groups are AD-synced.
Solution: Convert SOA to Entra ID, enabling full access review capabilities and lifecycle workflows.
Use Case 5: Hybrid Identity Cleanup
Scenario: A customer is migrating from Entra Connect Sync to Cloud Sync and wants to clean up group sprawl.
Solution: Use SOA conversion to move group management to the cloud, then decommission legacy sync rules and OUs.
Strategic Impact
Group SOA Conversion is more than a technical enhancement, it’s a strategic enabler for identity modernization. It supports:
- AD DS minimization: Shrinking on-prem footprint.
- Cloud-first governance: Centralized access control and lifecycle management.
- Phased migration: Avoiding disruption while modernizing.
Microsoft