Skip to main content

Group Writeback enables the synchronization of Microsoft 365 groups with your on-premises AD through Microsoft Entra Connect Sync. It’s an excellent feature to manage groups in the cloud while controlling access to on-premises applications and resources. In this article, you will learn how to enable Group Writeback in Microsoft Entra Connect Sync.

Group writeback prerequisites

The following are prerequisites for group writeback:

  • Azure AD Premium 1 or Azure AD Premium 2 license
  • Azure AD Connect version 2.0.89.0 or later

Check Azure AD Connect version

You must have at least Azure AD Connect version 2.0.89.0 or higher installed to enable group writeback in Azure AD Connect.

  1. Sign in on the Azure AD Connect server
  2. Run PowerShell as administrator
  3. Run the below commands to get the Azure AD Connect version

In our example, Azure AD Connect 2.1.20.0 is installed.

Import-Module ADSync
(Get-ADSyncGlobalSettingsParameter | Where-Object { $_.Name -eq 'Microsoft.Synchronize.ServerConfigurationVersion'}).Value

It’s recommended to keep Azure AD Connect up to date. Follow the article Upgrade Azure AD Connect .

How to enable group writeback in Microsoft Entra Connect Sync

To enable and configure group writeback in Microsoft Entra Connect Sync, follow the below steps:

Step 1. Create OUs in AD

Start Active Directory Users and Computers and create two separate OUs:

  • AAD: Azure Active Directory
  • AD: Active Directory

If you already have different OUs for the groups, you don’t have to create an AD OU and move all the groups into it. Only create a new OU named AAD.

Enable group writeback in Azure AD create OUs

The AAD OU is empty because the group writeback is not yet configured. This is the OU where all the groups will be written back to from the cloud.

The AD OU already has three groups.

Step 2. Get group writeback status

Run the Get-ADSyncAADCompanyFeature PowerShell cmdlet to check the group writeback status.

Get-ADSyncAADCompanyFeature

The PowerShell output shows that UnifiedGroupWriteback is disabled because the value is False.

Note: UnifiedGroupWriteback refers to the original version, which will keep working. GroupWritebackV2 refers to the new version that will be discontinued in June 2024.

Get-ADSyncAADCompanyFeature

PasswordHashSync           : True
ForcePasswordChangeOnLogOn : False
UserWriteback              : False
DeviceWriteback            : False
UnifiedGroupWriteback      : False
GroupWritebackV2           : False

Step 3. Enable group writeback in Azure AD Connect

  1. On your Azure AD Connect server, open Azure AD Connect.
  2. Select Configure.
Enable group writeback in Azure AD welcome
  1. Select Customize synchronization options, and then select Next.
Enable group writeback in Azure AD customize synchronization options
  1. On the Connect to Azure AD page, enter your credentials. Select Next.
Enable group writeback in Azure AD connect to Azure AD
  1. On the Connect your directories page, verify that the configured directories appear correctly and click on Next.
Enable group writeback in Azure AD connect your directories
  1. On the Domain and OU filtering page, ensure you have the groups selected (that you created in the previous step) and click on Next.
Enable group writeback in Azure AD domain/OU filtering
  1. On the Optional features page, select Group Writeback, and then select Next.
Enable group writeback in Azure AD feature
  1. On the Group Writeback page, select the AAD organization unit (OU) to store objects that are synchronized from Microsoft 365/Azure to your on-premises organization and select Writeback Group Distinguished Name with cloud Display Name and select Next.
Enable group writeback in Azure AD select group
  1. On the Group Writeback Permissions page, fill in the Enterprise Admin Credentials and click Next.
Enable group writeback in Azure AD provide enterprise admin credentials
  1. On the Ready to configure page, select Start the synchronization process when configuration completes and click Configure.
Enable group writeback in Azure AD ready to configure
  1. On the Configuration complete page, select Exit.
Enable group writeback in Azure AD configuration complete

Step 4. Verify Microsoft 365 groups appear in on-premises AD

Sign in to Microsoft Entra admin center. Click on Identity > Groups > All groups. Filter the group type on Microsoft 365 and check the Microsoft 365 groups in the list.

In our example, we have three Microsoft 365 groups.

Note: Only Microsoft 365 groups will write back to your on-premises AD. The Security groups will not write back.

Filtered Microsoft 365 groups in Microsoft Entra admin center

Open Active Directory Users and Computers, open the AAD OU, and check that the Microsoft 365 groups are written back to on-premises AD.

Microsoft 365 groups written back to AD on-premises

We have three users in the Microsoft 365 group Group1_Cloud.

Microsoft 365 group members in Microsoft Entra admin center

However, only two users appear in the synced group in AD. That’s because the CloudOnly user is created in the Azure AD and not in on-premises AD.

Check members in on-premises AD group

Suppose you edit the AAD group in on-premises AD. The next sync will undo the changes.

In this example, we did add the user Richard Grant to the AAD group from on-premises AD.

Add user to group from on-premises

The sync deleted the user Richard Grant from the group because the group needs to be changed in Azure AD and not from on-premises AD.

Note: The authority for the AAD groups is in Azure AD and not on-premises AD. It’s not a two-way sync and only a one-way sync from Azure AD to on-premises AD. Always update the group in Azure AD, and the changes will reflect in on-premises AD.

Enable group writeback in Azure AD user delete change

That’s it!

You successfully did configure group writeback in Azure AD.

Leave a Reply