Azure AD Connect v2 group write back

Pete Benn 0 Reputation points
2023-11-27T20:15:42.39+00:00

Hello, I have installed AAD connect 2.2.8 and enabled group write back, it is configured to only create write back enabled groups to our local AD. I have set to not write back new groups.

it syncs ok, but every group is created. I delete a group from the local AD OU and it syncs it back again.

what am I doing wrong?

Microsoft Entra
{count} votes

2 answers

Sort by: Most helpful
  1. Sandeep G-MSFT 16,521 Reputation points Microsoft Employee
    2023-11-28T07:18:28.74+00:00

    @Pete Benn

    Thank you for posting this in Microsoft Q&A.

    As I understand you have upgraded to AD connect (Microsoft Entra Connect) version 2.2.8 and group writeback is enabled.

    But with this feature enabled all groups are getting written back to on-premises AD even though you have set groups not to write back.

    This is a default behavior in group writeback V2.

    When you're enabling group writeback, you'll experience the following default behavior:

    • All existing Microsoft 365 groups will automatically be written back to Active Directory, including all Microsoft 365 groups created in the future. Microsoft Entra security groups are not automatically written back. They must each be enabled for writeback.
    • Groups that have been written back won't be deleted in Active Directory if they're disabled for writeback or soft deleted. They'll remain in Active Directory until they're hard deleted in Microsoft Entra ID.

    Changes made to these groups in Microsoft Entra ID won't be written back until the groups are re-enabled for writeback or restored from a soft-delete state. This requirement helps protect the Active Directory groups from accidental deletion, if they're unintentionally disabled for writeback or soft deleted in Microsoft Entra ID.

    • Microsoft 365 groups with more than 50,000 members and Microsoft Entra security groups with more than 250,000 members can't be written back to on-premises.

    In above explanation you can see the first point due to which you are seeing this behavior.

    It is mentioned in our public article as well.

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-group-writeback-v2#choose-the-right-approach

    But you can change this default behavior by following steps in below article,

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-modify-group-writeback#disable-automatic-writeback-of-new-microsoft-365-groups

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-modify-group-writeback#delete-groups-when-theyre-disabled-for-writeback-or-soft-deleted

    You will have to use PowerShell to make these changes.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Andy David - MVP 144.8K Reputation points MVP
    2023-11-28T13:28:25.67+00:00