Close Menu
    How to Configure Group Writeback in Microsoft Entra Cloud Sync
    Exchange

    How to Configure Group Writeback in Microsoft Entra Cloud Sync

    Group writeback enables Microsoft Entra ID security groups synchronization with your on-premises AD. However, Microsoft deprecated security group writeback in Microsoft Entra Connect in June 2024. But they made it available in Microsoft Entra Cloud Sync. In this article, you will learn how to configure group writeback in Microsoft Entra Cloud Sync.

    Prerequisites for Microsoft Entra Cloud Sync

    Before proceeding, make sure you have:

    • A Microsoft Entra ID tenant.
    • An Entra ID Global Administrator account for initial setup.
    • At least one Windows Server 2016 or later machine (domain-joined) to host the provisioning agent.
    • Necessary firewall ports open: HTTPS (443) and HTTP (80) to Microsoft cloud endpoints.
    • Proper DNS resolution from the server to your domain controllers and to external internet.

    If you already followed the article Enable Group Writeback in Microsoft Entra Connect Sync, you already have the OUs set up and it’s writing back the groups from Entra ID to AD. However, these are not the security groups.

    Note: The security groups writeback is only possible to set up in Microsoft Entra Cloud Sync, which we will cover in this article.

    How to enable group writeback in Microsoft Entra Cloud Sync

    To enable and configure group writeback in Microsoft Entra Cloud Sync, follow the steps below:

    Step 1. Create OUs in AD

    Start Active Directory Users and Computers and create two separate OUs:

    • Entra ID: Microsoft Entra ID
    • AD: Active Directory

    If you already have different OUs for the groups, you don’t have to create an AD OU and move all the groups into it. Only create a new OU named Entra ID. This is what you will use later in the guide.

    1. Right-click the Entra ID OU
    2. Click Properties
    Entra ID OU in on-premises ADEntra ID OU in on-premises AD
    1. Double-click on the distinguishedName attribute
    Entra ID OU distinguishedName Entra ID OU distinguishedName
    1. Copy the value and save it. You will need it later in the guide.
    Entra ID OU distinguishedName valueEntra ID OU distinguishedName value

    Step 2. Get group writeback status

    If you have Microsoft Entra Connect installed, run the Get-ADSyncAADCompanyFeature PowerShell cmdlet to check the group writeback status.

    Get-ADSyncAADCompanyFeature

    The PowerShell output shows that UnifiedGroupWriteback is disabled because the value is False.

    PasswordHashSync           : True
ForcePasswordChangeOnLogOn : False
UserWriteback              : False
DeviceWriteback            : False
UnifiedGroupWriteback      : False
GroupWritebackV2           : False

    You can have the UnifiedGroupWriteback enabled and keep it like that. It’s important that you have GroupWritebackV2 disabled because that’s discontinued. Read more in the article Disable Group Writeback v2 in Microsoft Entra Connect.

    Note: UnifiedGroupWriteback refers to the original version, which will continue to function. GroupWritebackV2 refers to the new version and is discontinued in June 2024. It’s now integrated in Microsoft Entra Cloud Sync, and that’s what this article is about.

    Step 3. Download the Cloud Sync Agent

    1. Sign in to the Microsoft Entra admin center
    2. Navigate to Identity > Show more
    Microsoft Entra admin center show more in IdentityMicrosoft Entra admin center show more in Identity
    1. Select Hybrid management > Microsoft Entra Connect
    2. Click on Cloud Sync
    Microsoft 365 admin center Microsoft Entra cloud syncMicrosoft 365 admin center Microsoft Entra cloud sync
    1. Select Agents
    2. Click on Download on-premises agent
    Download on-premises agentDownload on-premises agent
    1. Click on Accept terms & download
    2. Save the executable file to your Windows Server machine
    Accept terms and downloadAccept terms and download

    Step 4. Install Provisioning Agent on Windows Server

    1. Start File Explorer
    2. Go to the downloaded Provisioning Agent setup executable file
    3. Run the downloaded Microsoft Entra Connect Provisioning Agent installer as Administrator
    Configure Group Writeback in Microsoft Entra Cloud Sync agent setup fileConfigure Group Writeback in Microsoft Entra Cloud Sync agent setup file
    1. Accept the license terms and conditions
    2. Click Install
    Microsoft Entra Provisioning Agent package installation guideMicrosoft Entra Provisioning Agent package installation guide
    1. The setup starts installing the Microsoft Entra Provisioning Agent
    Provisioning Agent package setup progressProvisioning Agent package setup progress
    1. Click Next in the Welcome to the Microsoft Entra provisioning agent configuration wizard screen
    Microsoft Entra provisioning agent configuration wizardMicrosoft Entra provisioning agent configuration wizard
    1. Select HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Cloud Sync
    2. Click Next
    Configure Group Writeback in Microsoft Entra Cloud Sync select extensionConfigure Group Writeback in Microsoft Entra Cloud Sync select extension
    1. Click Authenticate
    2. Sign in with your Microsoft Entra ID administrator credentials
    Connect to Microsoft Entra IDConnect to Microsoft Entra ID
    1. Select Create gSMA
    2. Enter your On-Premises domain admin credentials
    3. Click Next
    Configure Group Writeback in Microsoft Entra Cloud Sync configure service accountConfigure Group Writeback in Microsoft Entra Cloud Sync configure service account
    1. Click Next
    Connect to Active DirectoryConnect to Active Directory
    1. Click Confirm
    Configure Group Writeback in Microsoft Entra Cloud Sync confirm agent configurationConfigure Group Writeback in Microsoft Entra Cloud Sync confirm agent configuration
    1. Click Exit
    Configure Group Writeback in Microsoft Entra Cloud Sync exit agent configurationConfigure Group Writeback in Microsoft Entra Cloud Sync exit agent configuration

    Step 5. Verify Provisioning Agent status

    1. Sign in to the Microsoft Entra admin center
    2. Click Agents and verify that the machine name appears and the status is Active
    Microsoft Entra admin center cloud sync agents statusMicrosoft Entra admin center cloud sync agents status
    1. Start Windows Services
    2. Verify that the Microsoft Azure AD Connect Provisioning Agent service is running
    Configure Group Writeback in Microsoft Entra Cloud Sync services.mscConfigure Group Writeback in Microsoft Entra Cloud Sync services.msc
    1. Start Active Directory Users and Computers
    2. Navigate to Domain (exoip.local) > Managed Service Accounts
    3. Verify that the provAgentgMSA service account appears
    provAgentgMSA service accountprovAgentgMSA service account

    Step 6. Set up Microsoft Entra ID to AD sync configuration

    1. Sign in to Microsoft Entra admin center
    2. Click on Configurations
    3. Select + New configuration > Microsoft Entra ID to AD sync
    Configure Group Writeback in Microsoft Entra Cloud Sync configurationsConfigure Group Writeback in Microsoft Entra Cloud Sync configurations
    1. Select the Active Directory domain
    2. Click Create
    New cloud sync configurationNew cloud sync configuration
    1. Click Overview
    2. Select Properties
    3. Click on the pencil icon to edit the Basics
    Configuration propertiesConfiguration properties
    1. Configure the basics:
    • Add email address for notifications
    • Enable prevent accidental deletion
    • Set accidental deletion treshold to 500
    1. Select Apply
    Microsoft Entra admin center new cloud sync configuration edit basicsMicrosoft Entra admin center new cloud sync configuration edit basics
    1. Click Scoping filters
    2. Select All security groups
    3. Select Edit attribute mapping
    Scoping filters configurationScoping filters configuration
    1. Select Constant from the dropdown menu
    2. Paste in the Constant value field the OU distinguished name value that you noted in the first step
    3. Click Apply
    Group target container attribute mappingGroup target container attribute mapping
    1. Click Save
    Save scoping filters configurationSave scoping filters configuration
    1. Click Overview
    2. Click Review and enable
    Cloud sync review and enableCloud sync review and enable
    1. Click Enable configuration
    Cloud sync enable configurationCloud sync enable configuration

    Step 7. Check Microsoft Entra ID to AD sync configuration status

    1. Verify that the configuration sync from Microsoft Entra ID to AD shows the status Healthy
    Cloud sync Microsoft Entra ID to AD healthy statusCloud sync Microsoft Entra ID to AD healthy status
    1. Return to Overview
    2. Select Overview and verify that everything looks good
    Cloud Sync configuration overviewCloud Sync configuration overview

    Step 8. Verify group writeback sync

    1. Select Monitoring
    2. Group provision shows initial sync not run
    Cloud Sync monitoring initial sync not runCloud Sync monitoring initial sync not run
    1. Refresh until it shows the initial sync completed
    Cloud Sync monitoring initial sync completedCloud Sync monitoring initial sync completed
    1. Verify that the security groups are written back to the Entra ID OU
    On-Premises Entra ID OU with cloud security groupsOn-Premises Entra ID OU with cloud security groups
    1. Suppose you want to double-check that these are the security groups, you can always sign in to the Microsoft Entra admin center and go the Groups blade and filter them in Microsoft Entra ID on:
    • Group type: Security
    • Source: Cloud
    Filter security cloud groups in Microsoft Entra admin centerFilter security cloud groups in Microsoft Entra admin center

    These are the correct groups that are written back from Microsoft Entra ID to on-premises AD.

    That’s it!

    Read more: Configure Microsoft Entra Password Protection for on-premises »

    Conclusion

    You learned how to configure group writeback in Microsoft Entra Cloud Sync. This applies only to cloud security groups. If you want the distribution groups and Microsoft 365 groups writeback, Enable group writeback in Microsoft Entra Connect Sync. This way you have all the groups written back from Entra ID to on-premises AD.

    Did you enjoy this article? You may also like How to Restrict access to Microsoft Entra admin center. Don’t forget to follow us and share this article.

    Share.

    Related Posts

    Add A Comment
    Leave A Reply