Group Writeback in Entra Cloud Sync

Warm welcome to my new blog post!

One function that I have missed for a long time in the local Active Directory is the option of using dynamic groups. User accounts have certain characteristics and I automatically fill groups based on these characteristics. How cool is that? Unfortunately, this is not possible on-premises without additional tools. But it is possible in Entra ID and with the option of Group Writeback I can extend the feature to the local AD. With restrictions, ok, but what remains is very powerful.

Microsoft has described the topic in detail here MS Learn Article, so I won’t open that can of worms again here. Instead, let’s take a look at a practical example of how we can map a dynamic group function in AD DS.

The Figure below shows an overview of the workflow.

Figure 1: Example overview

In our example, we have Entra Cloud Sync (Point 1 from pic above) and synchronize certain users to Entra ID. So far so good. Then we create a dynamic group in Entra (Point 2), with a dynamic membership rule based on the attribute “Department” = “HR”. This ensures that users from HR are in the dynamic group. In our example “SG-DG-HR”.

Figure 2: Dynamic membership rule

Then we set up Group Writeback in CloudSync …

Figure 3: Group Writeback Option in Entra Cloud Sync

… and the group is synchronized as a universal group with the On-Premises Active Directory Domain (Point 3 from the overview picture).

Figure 4: AD DS OU with synchronized Entra Group

This is set with the scoping filter in Cloud Sync

Figure 5: Scoping filter in Cloud Sync to define the Target OU in On-Prem AD

The group name is formed here with a part of the ObjectID. However, this can be adjusted in the attribute mapping

Figure 6: CN setting for local AD Group

That’s all to implement. Now you can use the group to provide access to local resources

This example is focused on our pecific usecase. More details and more possibilities are explained in the related Article

Let me summarize some important aspects:

• Until now, the Group WriteBack v2 option was available in Cloud Connect as public preview. This is no longer supported as of 30.06.2024. From now on, the successor described here must be used

• The users must be in Entra ID. Of course, make sense. Otherwise they cannot be a member in the Cloud Group and in scope of the membership rule

• Users are never created in the local AD. Cloud-only accounts that are members of the dynamic group, due to their characteristics, are skipped during synchronization and do not appear in the AD Group. The rule could also be extended here and exclude synchronized users as members for example

Have fun trying it out 😀

Share this:

linkedin email

2024

• Group Writeback in Entra Cloud Sync 01 May

2023

• Setup Azure automation to find unused user and computer accounts (step-by-step guide) 22 Aug
• The dilemma with unused objects in Azure AD 22 Mar
• Check your Azure AD for expiring App Secrets 07 Jan

2022

• Want to switch off ADFS? Looking for some content? 09 Jan

2021

• How to change language in M365 Portal for a synchronized identity 03 Jul
• Zero Trust in Azure Identity - Part 5: Simple Monitoring Break Glass Accounts 22 Jan
• Zero Trust in Azure Identity - Part 4: Access Reviews 19 Jan
• Zero Trust in Azure Identity - Part 3: Conditional Access 18 Jan
• Zero Trust in Azure Identity - Part 2: MFA! Is there a right way? 16 Jan
• Zero Trust in Azure Identity - Part 1: Tenant Security 16 Jan
• Zero Trust in Azure Identity: Overview of the Journey 12 Jan

2020

• More Infos on Azure AD Cloud Provisioning and news from Ignite 2020 24 Sep
• First experience with Azure AD Connect Cloud Provisioning 21 Mar