Enable Group Writeback and Set Group Source of Authority (SOA) to Entra

There is currently a limitation with types of groups that can be written back to AD:

You have to use Entra Cloud Sync to provision cloud Security groups to on-premises AD

You have to use Entra Connect Sync to provision Microsoft 365 groups to on-premises AD

Ideally, if you use Entra Connect Sync and don’t need to sync Microsoft 365 groups, you should migrate your sync client to Entra Cloud Sync. To check if you’re eligible to move to Microsoft Entra Cloud Sync, use the user synchronization wizard, as there are other caveats and limitations.

If you can’t use Microsoft Cloud Sync as recommended by the wizard, you can run Microsoft Entra Cloud Sync side-by-side with Microsoft Entra Connect Sync. In that case, you might run Microsoft Entra Cloud Sync only to provision cloud Security groups and Entra Connect Sync to provision Microsoft 365 groups to on-premises AD.

1. Enable Group Writeback in Entra Connect Sync configuration:

2. Set destination for Microsoft 365 group writeback:

3. Enter Enterprise Admin permissions:

4. Verify successful completion:

Enable Security Group Writeback with Entra Cloud Sync

1. If you’re upgrading from an earlier version, you may need to run PowerShell permissions command on the Entra Cloud Sync server:

Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"

$credential = Get-Credential

Set-AADCloudSyncPermissions -PermissionType UserGroupCreateDelete -TargetDomain "domain.com" -EACredential $credential

2. Create a new Entra to AD sync configuration in Entra portal:

3. Select your Scoping filters, choosing the groups to sync (note you can’t sync Microsoft 365 groups or Directory synced objects, unless objects are converted to Cloud SOA):

4. Add your target container where to sync in AD:

5. Test by provisioning your group on demand. Select the members to sync.

6. Confirm your action is successful:

7. Check the target AD OU to confirm the Security group synced as a Universal group:

8. If satisfied with your configuration, set properties for your sync rule:

9. Finally, enable the sync configuration:

Convert the Group Source of Authority (SOA) from AD to Entra

1. User Graph Explorer to grant permissions to Enterprise App. Open Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer

2. Initially, you are in the Sample tenant. Sign in to your account with Application Administrator or Cloud Application Administrator

3. Once signed-in, you are in your tenant. Click on the avatar again and click “Consent to permissions”

4. Search for Group-OnPremisesSyncBehavior and select Consent for the permission

5. Select Consent on behalf of the organization and click Accept:

6. Change the group scope for the AD DS groups to Universal.

7. Get the object ID of your group (notice, the source is Windows Server AD):

8. Check the current SOA status of your group (replace {ID} with the Object ID of your group):

GET https://graph.microsoft.com/v1.0/groups/{ID}/onPremisesSyncBehavior?$select=isCloudManaged

The “isCloudManaged” value is “false” – that means it’s an AD managed group.

9. Convert group SOA to cloud by running the patch command:

PATCH https://graph.microsoft.com/v1.0/groups/{ID}/onPremisesSyncBehavior
   {
     "isCloudManaged": true
   }

10. Check again to see if the group is now cloud-managed (i.e. Entra SOA) by running the GET command.

GET https://graph.microsoft.com/v1.0/groups/{ID}/onPremisesSyncBehavior?$select=isCloudManaged

Because the “isCloudManaged” value is “true” – this means it’s an Entra managed group now.

11. If we check the group in Entra now, we will see that the Source = Cloud and properties are now editable:

12. Make sure to add your new group to sync scope. Select, then click Save on the next screen.

13. Provision the group on demand, selecting the group and a couple of group member user accounts which are present in AD and Entra. Click on the Provision button (not seen below):