Entra Cloud Sync - Group Writeback

Bojan Zivkovic 436

Hi, could this feature be used as PAM solution for temporary Domain Admins group membership in AD DS (group synced from Entra to AD DS would be a member of Domain Admins group, empty by default, and admins would get a temporary membership in synced group using PIM)? Currently I am using native PAM AD DS optional feature with GUI tool created in PS Studio leveraging JEA - admins request temporary membership in Domain Admins group which is automatically approved.

2 answers

Andy David - MVP 142.2K Reputation points MVP

2024-04-23T11:27:24.9133333+00:00

Havent tested that but wouldnt that mean you syncing Domain admin accounts to Azure? Even if only during the writeback phase? thats generally not recommended
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Marcin Policht 11,230 Reputation points MVP

2024-04-23T11:38:26.3033333+00:00

As far as I recall, the writeback creates groups with the Universal scope - they cannot be added to a domain global group (such as Domain Admins)

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Please sign in to rate this answer.
Marcin Policht 11,230 Reputation points MVP

2024-04-23T11:46:54.3066667+00:00

That aside (if you decide to use a different AD group of the local or universal scope - rather than Domain Admins), there are a few additional considerations:

Synchronization Timing: Azure AD Connect operates on a scheduled basis or manually triggered synchronization, which may not occur immediately after changes are made in Azure AD. Depending on the synchronization schedule and timing, there could be delays between the revocation of temporary access in Azure AD PIM and the synchronization of those changes back to on-premises AD DS.

Auditing and Reporting: Azure AD Connect may not offer the level of reporting required for tracking and monitoring temporary group memberships, especially for highly privileged groups. This could pose challenges for compliance and security monitoring purposes.

Network Latency and Connectivity: Network latency and connectivity issues between Azure AD and on-premises AD DS can also affect synchronization delays. If there are network bottlenecks or connectivity issues, it may take longer for changes to propagate between the two environments.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Bojan Zivkovic 436 Reputation points

2024-04-23T11:51:24.7033333+00:00

Yep, I missed that Universal scope info ... It seems I can't leverage this feature for PAM (Domain Admins group membership) + yes, it would mean adm accounts (future Domain Admins) being synced from AD DS to Entra. Simply there is nothing I can think of to implement PAM but what I am doing at the moment (explained in the question).

Thank you both.

Marcin Policht 11,230 Reputation points MVP

2024-04-23T12:19:47.99+00:00

You're welcome

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Givary-MSFT 28,321 Reputation points Microsoft Employee

2024-04-25T07:11:55.99+00:00

@Bojan Zivkovic Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment