Blog Post

Microsoft Entra Blog

3 MIN READ

Driving cloud-first identity: User SOA is now Public Preview and Group SOA is Generally Available

Joseph Dadzie

Microsoft

Nov 04, 2025

Simplify hybrid complexity and strengthen your security posture by managing users and groups natively in the cloud.

Back in August, I shared how Group Source of Authority (SOA) conversion helps organizations govern legacy groups in the cloud, simplifying on-premises cleanup and extending governance to apps that st...

Updated Nov 03, 2025

Version 1.0

announcements and product news

Microsoft

Joined July 06, 2017

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for any identity to any resource, anywhere, with comprehensive identity and network access solutions powered by AI.

Visit the homepage

aidahl

Copper Contributor

Nov 09, 2025

Would this require disabling the user object both in Entra and in AD? What about other information fields, will they sync back to AD?

AriasJose

Brass Contributor

Nov 10, 2025

No. Converting a user’s Source of Authority from Active Directory to Entra does not require disabling the user object in either system. The object remains active in both directories.

For the second question, after conversion, the user object becomes cloud-managed, meaning changes in Entra do not sync back to AD. Optional writeback features (like password writeback) can still be enabled for compatibility, but attribute updates in Entra stay in the cloud.

aidahl
Copper Contributor
Nov 10, 2025
Isn’t this essentially just breaking the sync?
For the disable part, I meant in a leaver situation. Life cycle of users will get more complex when doing this.
Would have been great if we could change SOA without breaking the sync.