Microsoft Entra ID to AD not syncing the groups members

Question

Hi,

I have configured Microsoft Entra ID to AD to sunc Azure security groups to on.prem AD, it's syncing the groups according to the Scopping Filter correctly but the groups are sunced with no members!

Answer 1

@Wael Khuzam

Thank you for posting this in Microsoft Q&A.

As I understand you have configured Group writeback in your tenant and groups are getting synced, but groups members are not syncing to on-premises.

In Group writeback feature groups provisioned to AD using cloud sync can only contain on-premises synchronized users and / or additional cloud created security groups. Group memberships can be managed in Group writeback only for the accounts which are synced to Azure AD.

Since Sync/provisioning does not support user writeback, users created as cloud only in Azure will not be synced as group members to On-premise AD.

If you select a security group that has a nested security group as its member, then only the nested group will be written back and not it's members. For example, if a Sales security group is a member of the Marketing security group, only the Sales group itself will be written back and not the members of the Sales group.

All of these users must have the onPremisesObjectIdentifier attribute set on their account.

The onPremisesObjectIdentifier must match a corresponding objectGUID in the target AD environment.

Groups that are larger than 50,000 members aren't supported.

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Do the users exist on-premises? Provisioning is just for group objects, not users.