Read about frequently asked questions for provisioning to Active Directory with Microsoft Entra Cloud Sync.
Provisioning groups to Active Directory
Does Group Provision to AD in Microsoft Entra Cloud Sync work side-by-side with other Microsoft Entra Connect Sync capabilities?
Yes, You can use Microsoft Entra Cloud Sync solely for Security Group Provisioning to AD while simultaneously using Connect Sync for syncing AD to Microsoft Entra ID. Any cloud security group that includes users synchronized from AD via Microsoft Entra Connect Sync can be provisioned to Active Directory using Microsoft Entra Cloud Sync and Group Provisioning to AD.
For instance, if there are two users (User A and User B) who are Active Directory Domain Services users and have been synchronized with Microsoft Entra Connect Sync to Microsoft Entra ID, you can create a cloud security group in Microsoft Entra ID called SecurityGroup A. This group can then be provisioned back to AD DS using Microsoft Entra Cloud Sync - Group Provisioning to Active Directory.
I have Microsoft 365 groups that I provision to AD using Group Writeback feature in Microsoft Entra Connect Sync. Will that continue to work?
Yes, when you uninstall or disable Group Writeback V2 from your Connect Sync configuration, it defaults to Group Writeback V1. This default supports the ability to write back all Microsoft 365 groups in Microsoft Entra ID.
What if I want to disable Group Writeback V1 as well?
When you disable Group Writeback V1, the next full sync deletes all the groups that are written by Microsoft Entra Connect Sync to AD. Cloud Security Groups provisioned using Microsoft Entra Cloud Sync won’t be impacted by this operation.
Can I continue to use the "Group writeback" field through MS Graph and Microsoft Entra admin center for setting groups in scope for provisioning to AD using Microsoft Entra Cloud Sync?
No, this field isn't currently used for determining the scope of groups being provisioned to AD using Cloud Sync. You have to use the Microsoft Entra Cloud Sync configuration experience in the portal to set scope. For more information, see Using directory extensions with group provisioning to Active Directory.
If I am following the steps outlined in Migrate Microsoft Entra Connect Sync group writeback V2 to Microsoft Entra Cloud Sync, will this impact my synchronization from Active Directory to Microsoft Entra ID with Microsoft Entra Connect?
No, following the migration steps for moving from group writeback V2 to Microsoft Entra cloud sync will not affect synchronization between AD and Microsoft Entra ID.
AD group enforcement (preview)
What object types does AD group enforcement support?
Groups are supported in this preview. Users aren't supported, but the AD team plans to add support for users in a future release.
When I install the provisioning agent, will enforcement be enabled on all of my Active Directory objects?
No. In addition to installing the policy on the primary domain controller emulator (PDCe), you must explicitly mark each group as in scope. Configure the attribute mapping in group provisioning to Active Directory to set the msDS-ObjectSoa attribute on the groups you want to protect. Groups without the attribute set aren't enforced.
Can I define a break-glass account for emergency changes to a protected group?
Yes. You can add the security identifier (SID) of an authorized user or group to the policy so that account can make changes to enforced groups when the provisioning service isn't available. For more information, see Enforce that Active Directory group changes only come from Microsoft Entra.
If group A is marked for enforcement, can it be added as a member of group B that isn't marked for enforcement?
Yes. Group A can be added as a member of group B. However, changes to the members of group A can still only be made by the provisioning service.
What happens if a change is made on a domain controller that doesn't have AD group enforcement enabled?
The change is processed. For full enforcement across the domain, every domain controller must have the feature enabled, either by installing the cumulative Windows Server update plus the matching Group Policy MSI, or by running a Windows Server Insider Preview build that has the feature already enabled.
How does this feature change the Active Directory role-based access control (RBAC) model?
AD group enforcement is additive to the existing RBAC model. It places another restriction on top of the existing role assignments, without giving any user extra access.
What role is required to enable the policy?
Domain Admin is required to run the PowerShell script that installs the policy on the PDCe role domain controller.
How do I see enforcement events in the event log?
To see Audit-mode events, set the Security Diagnostics registry value to 1 on the PDCe. Audited changes then appear in the Directory Services event log on that domain controller. For more information, see AD and LDS diagnostic event logging.