Blog Post

Core Infrastructure and Security Blog
3 MIN READ

The Twelve Days of Blog-mas: No.4 - Sync Cloud Groups from AAD/Entra ID back to Active Directory

MichaelHildebrand's avatar
Dec 01, 2023

"Number four?" <spoken in the deli counter attendant's dead-pan voice>

 

For a loooong time, you and I have been waiting for the ability to sync ‘cloud-born-and-managed’ security groups (and their memberships) back into on-premises AD.  This takes us further on our journey of moving "the management plane" from on-prem AD to the cloud - and provides you the ability to create/manage groups in the cloud to manage resource access in Active Directory.  

 

BLINKING CAUTION LIGHT: 

  • This V2 Group Writeback feature is in public preview.
  • You're playing with Directory Services fire here.
  • This is a helpful feature BUT it has the potential to make big (possibly massive) changes to your on-prem AD.
  • Be sure you fully understand what the default options are AND what you have set in your environment
  • It is entirely possible that all M365 Groups from your M365 tenant will be back-sync'd into your on-prem AD.
  • Don't mess with this in isolation/by yourself - get a peer on your team to work with you so you can double check one another.  
  • Test, test, test again.

 

Okay, now that I've gotten your attention, here are some details:

 

  • Once you’ve enabled the capability, then it’s just an option for your cloud groups:

 

 

 

 

NOTE: The security groups from the cloud are written back/created in AD as Universal Security Groups

NOTE: Cloud-only users who are members of the cloud group won't be back-sync'd into AD; this won't create new AD users

  • In my environment, I use a naming prefix of '- CG - ' to indicate 'Cloud Group' and a prefix of '- OPG - ' to indicate 'On-Prem Group.'

 

To Retrofit ... or not?

 

If you're like me, I bet you're asking/wondering if an existing on-prem group can be transitioned to cloud-managed.  The answer (for now, at least) is "No." 

 

So, you may need to do some work in the on-prem environment to use the 'new' back-sync'd groups instead of existing on-prem AD groups. 

 

If you name the new cloud groups to align with your existing on-prem AD group naming standards, it will be easier to 'find' them in the various AD object picker/permissions UIs.  Then, you could just add the new group to the ACL for the resource and at some point, remove the old one.  This naming standardization effort could also aid you if you go down the route of scripting to replace groups.

 

Another idea I had - but have not tested yet - would be to simply 'nest' the new back-sync'd group into the existing AD group that provides access to a given on-prem resource.  It probably would work but we all know group nesting can sometimes be "an adventure."

 

STILL-BLINKING CAUTION LIGHT:  Re-read the cautions at the top of this post.  I love to reminisce about IT horror stories but don't be 'the star' of a new one here.  FYI, manual member adds from AD into the back-sync'd group will get wiped out upon 'next sync.'  There is a non-default option that an ‘on-prem’ back-sync’d group in AD will be deleted if you disable the write-back option for the source group in the cloud (that may be something you want - but it may be a painful surprise).

 

For more information:

 

A series recap (so far):

  1. The Twelve Days of Blog-mas: No.1 - A Creative Use for Intune Remediations - Microsoft Community Hub
  2. The Twelve Days of Blog-mas: No.2 - Windows Web Sign in and Passwordless - Microsoft Community Hub
  3. The Twelve Days of Blog-mas: No.3 - Windows Local Admin Password Solution (LAPS) - Microsoft Community Hub

 

Cheerio!

 

Hilde

Updated Dec 06, 2023
Version 2.0

8 Comments

  • MichaelHildebrand​ sorry to revert you back to this.topic, but I have a very interesting perdicament. I do have the group writeback V1, still, never went for V2. Group writeback was working for some time now, but yesterday I got a call from a customer, that new groups are not getting written back. Configurqtion is enabled and everything seems to be ok, but no new groups are created on-prem. I checked all the info and nothing... By all accounts I could find the feature should work with V1. Also the option to transfer display name is graied out. Any ideas?

    • MichaelHildebrand's avatar
      MichaelHildebrand
      Icon for Microsoft rankMicrosoft

      Hey there - I'm not sure. I'd open a case with Support so they can look behind the curtains to see what might be going on. 

  • mliben's avatar
    mliben
    Copper Contributor

    A scant three days after you wrote this, a notice appeared in a document, "Plan for Microsoft Entra Connect group writeback." https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-group-writeback-v2

     

    Document essentially says Group Writeback v2 in Entra Connect Sync will no longer be available after June 30, 2024...We offer similar functionality in Microsoft Entra Cloud Sync called Group Provision to Active Directory that you can use instead.

     

     

     

     

  • I just tested and I see what you're referring to ... there is an option in the M365 Admin Center to create a "Distribution List" - and it appears that these 'groups' are NOT in scope for group writeback to AD.  I'll see if I can find out if that's planned or not. 

  • Take a look at this blurb from the docs - Microsoft Entra Connect: Group writeback - Microsoft Entra ID | Microsoft Learn

     

    It seems like we might have what you need:  

    • The original [Group writeback] version is in general availability and is limited to writing back Microsoft 365 groups to your on-premises Active Directory instance as distribution groups.
    • The new, expanded version of group writeback is in public preview and enables the following capabilities:
      • You can write back Microsoft 365 groups as distribution groups, security groups, or mail-enabled security groups.
      • You can write back Microsoft Entra security groups as security groups.
  • Tx Michael.  But many customers want to sync back regular distribution groups to On-Premises.   Nice about security groups(Can these be mail enabled security groups???) but what about standard distribution groups?  Is that on the horizon?  Tx.

  • Hey there - you have options.  There is a 'GA' or 'Generally Available' capability today for back-sync of M365 groups into AD as Distribution Groups.  However, this post is specifically for a new capability that is in preview for Entra ID "Security" Groups being sync'd back into AD as "Security" groups.

  • Does this include cloud distribution groups?  Exactly which types of groups will get synched back to on-premises?  Tx.