GroupWritebackV2 enabled, but Groups are not syncing from Cloud to On-prem

Trevor Harris-A 40 Reputation points

I have been unable to get GroupWritebackV2 working even after following all required steps in the Microsoft Learn article.

GroupWritebackV2 is set to True and has been enabled by a Global Admin in the Entra Connect Sync application. The OU has been set correctly with the DN.

(Get-ADSyncGlobalSettings).Parameters | select Name,Value | ?{$_.Name -like "Microsoft.Group*"}
Name                                             Value
----                                             -----
Microsoft.GroupWriteBack.Forest                  abcd.local
Microsoft.GroupWriteBack.Container               OU=Azure,OU=Security Groups,DC=abcd,DC=local
Microsoft.GroupWriteBack.FormatDistinguishedName True

The individual groups we want to sync have been set to have writeback enabled, and are a variety of Security Groups, Email-enabled Security Groups, and Microsoft365 groups (for purposes of testing). None of the groups are being written back.

I have used Graph API to confirm these groups have the writebackConfiguration 'isEnabled' property set to true.

I have verified the MSOL Service account has the appropriate permissions. No errors are noted during a sync cycle.

We are using v2.2 of Entra Connect Sync app (well above the 2.0.89 requirement) and have a P2 license.

None of the groups are nested, nor do they have any nested members.

The only modification that has been made is that the NewUnifiedGroupWritebackDefault has been set to false as per this article, so that only the groups we specify are written back. (see screenshot below showing 2 of these groups) Perhaps there is a bug with this property?

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,514 questions
{count} votes

Accepted answer
  1. Alfredo Revilla (MSFT) 25,176 Reputation points Microsoft Employee

    Hello @Trevor Harris-A and thanks for sharing your solution. Since accepting your own answer is not supported I'm reposting your solution here so that you can accept and rate it. It will ensure that others facing a similar issue can easily find a solution:

    After exporting & reviewing the config I found that there was no mention of GroupWriteback in the file, so I had our Global Admin check again, and sure enough the Writeback option was not selected in the Entra ID Connect application. Sorry about that!

    After enabling Writeback there, the new exported .json config file now properly shows the Groupwriteback configuration & the M365 groups are being exported properly. Snippet below:

    "onpremisesDirectoryPolicy": [
          "friendlyName": "abcd.local",
          "uniqueIdentifier": "<removed>",
          "fullyQualifiedDomainName": "abcd.local",
          "onPremisesDirectoryAccount": "ABCD.LOCAL\\MSOL_<redacted>",
          "groupWritebackDistinguishedName": "OU=Azure,OU=Security Groups,DC=abcd,DC=local",
          "formatGroupWriteBackDistinguishedName": true,
    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful