Share via

Cloud Sync is syncing groups but not membership from Azure to On-premise

David Bartlett 5 Reputation points
2023-12-26T22:49:48.5366667+00:00

Groups sync from Azure to On-Primise but membership does not get updated. States action was skipped outside of scope.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,005 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,901 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,606 Reputation points
    2023-12-26T23:24:47.0133333+00:00

    Hi @David Bartlett

    If the group writeback is enabled , when you modify the group membership in Entra ID only synced members and not cloud only accounts will be updated on on-premise because User write back is not possible.

    Please don't forget to accept helpful answer

  2. Sandeep G-MSFT 15,236 Reputation points Microsoft Employee
    2024-01-05T04:50:36.65+00:00

    @David Bartlett

    Thank you for posting this in Microsoft Q&A.

    There are two versions of group writeback. The original version is in general availability and is limited to writing back Microsoft 365 groups to your on-premises Active Directory instance as distribution groups. The new, expanded version of group writeback is in public preview and enables the following capabilities:

    • You can write back Microsoft 365 groups as distribution groups, security groups, or mail-enabled security groups.
    • You can write back Microsoft Entra security groups as security groups.
    • All groups are written back with a group scope of Universal.
    • You can write back groups that have assigned and dynamic memberships.
    • You can configure directory settings to control whether newly created Microsoft 365 groups are written back by default.
    • Group nesting in Microsoft Entra ID will be written back if both groups exist in Active Directory.
    • Written-back groups nested as members of on-premises Active Directory synced groups will be synced up to Microsoft Entra ID as nested.
    • Devices that are members of writeback-enabled groups in Microsoft Entra ID will be written back as members of Active Directory. Microsoft Entra registered and Microsoft Entra joined devices require device writeback to be enabled for group membership to be written back.
    • You can configure the common name in an Active Directory group's distinguished name to include the group's display name when it's written back.
    • You can use the Microsoft Entra admin center, Graph Explorer, and PowerShell to configure which Microsoft Entra groups are written back.

    The new version is enabled on the tenant and not per Microsoft Entra Connect client instance. Make sure that all Microsoft Entra Connect client instances are updated to a minimal build of Microsoft Entra Connect version 2.0 or later if group writeback is currently enabled on the client instance.

    Group memberships can be managed in Group writeback only for the accounts which are synced to Azure AD. For Cloud only users group memberships are not managed by Group writeback

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.