Forum Discussion
Group writeback doesn't sync back to Entra
Hi all
Can't find documentation on this if this should actually work or not. I enabled group writeback, which works fine. Now if I add a user to one of those groups in local Active Directory and sync the user to Entra, the user isn't a member of the group here. Might be just normal behavior, but would be nice if it did sync.
- SantoshSbCopper Contributor
Hi JCRNPat ,
Current supported method for achieving group writeback functionality is by using Entra Cloud Sync .
- Entra Cloud Sync supports the group writeback feature, which writes Security groups which are in write back scope from Entra ID back to a designated Organizational Unit (OU) in the on-premises Active Directory. There few limitations with group write back features as well which you should be aware of ,refer to Microsoft’s Cloud Sync Documentation
Why Membership Doesn’t Sync as Expected:
- Even with group writeback enabled via Cloud Sync, group membership changes made locally in on-premises AD will not automatically sync back to Entra ID if the group originated in the cloud.
- Memberships for writeback-enabled groups should always be managed in Entra ID for consistent synchronization and conflict avoidance.
Recommended Action:
- If you’re currently using Entra ID Connect for group writeback, it’s necessary to transition to Entra Cloud Sync to enable this feature.
- Ensure that group membership is managed in the correct system:
- For groups originating in Entra ID, manage membership in the cloud.
- For groups originating in AD, manage membership locally.
- LainRobertsonSilver Contributor
Hi JCRNPat ,
If you're talking about the group writeback feature that works via Azure AD Connect, then that feature has been discontinued, as noted below:
Additionally, it didn't/doesn't work as you're anticipating, as group changes made against the Active Directory copy of the object were never reconciled with the original Azure group.
In essence, it was/is a very simple unidirectional push from Azure AD to Active Directory only, and AAD Connect is aware the group originated in Azure and will not even attempt to try and push any changes from Active Directory back out to Azure AD.
Anyhow, if this is the feature you're referring to, Microsoft's current position is to push you into using Cloud Sync for this purpose, not AAD Connect.
Cheers,
Lain