How do I sync my users from EntraID to my local Active Directory test domain using Cloud Connect.

Question

How do I sync my users from EntraID to my local Active Directory test domain using Cloud Connect.

Tom Howarth 0

I am attempting to setup EntraID Cloud Sync to synchronize users from EntraID to my local OnPremises Test domain. I have created the provisioning agent and created the configuration; my selected Security group synchronises, but the members of the group do not. how do I fix this?

Tom Howarth 0 Reputation points

2025-01-04T12:35:04.0566667+00:00

I have noticed that there is a default grouping on the attribute scope filter that appears to block this: Default grouping is applied on top of every clause created below using "AND" logic. _Default grouping is: securityEnabled IS True AND dirSyncEnabled IS FALSE AND mailEnabled IS FALSE my Group has dirSyncEnabled = true, it also has securityEnabled = true; obviously, mail enabled is false/null as you cannot assign an email to a security group.

This product just frustrates at every corner._
Tom Howarth 0 Reputation points

2025-01-04T12:37:18.4733333+00:00

it is this default grouping that appears to be causing my issue as the provisioning logs show my users are being skipped as they are "out of scope"

you cannot add the dirSyncEnabled = true attribute to user object , and you cannot assign a email to a security group so I am at a loss on how to escape the default grouping rule to get my users to sync to the local Active Directory

2 answers

Your answer

Tom Howarth 0 Reputation points

2025-01-04T12:35:04.0566667+00:00

I have noticed that there is a default grouping on the attribute scope filter that appears to block this: Default grouping is applied on top of every clause created below using "AND" logic. _Default grouping is: securityEnabled IS True AND dirSyncEnabled IS FALSE AND mailEnabled IS FALSE my Group has dirSyncEnabled = true, it also has securityEnabled = true; obviously, mail enabled is false/null as you cannot assign an email to a security group.

This product just frustrates at every corner._
Tom Howarth 0 Reputation points

2025-01-04T12:37:18.4733333+00:00

it is this default grouping that appears to be causing my issue as the provisioning logs show my users are being skipped as they are "out of scope"

you cannot add the dirSyncEnabled = true attribute to user object , and you cannot assign a email to a security group so I am at a loss on how to escape the default grouping rule to get my users to sync to the local Active Directory

Answer 1

Vasil Michev 119.6K MVP Volunteer Moderator

This is not a supported scenario, users can only be synchronized from on-premises to Entra ID. Back in the day there was a preview of the "user writeback" feature, but Microsoft has long removed it, due to some complications they weren't able to address.

You can export the user objects and their properties via PowerShell, then import them in AD. There are also some third-party "Galsync" products that can do this. But as far as Entra Connect/cloud sync is concerned, this is unsupported.

Tom Howarth 0 Reputation points

2025-01-04T17:18:35.6966667+00:00

Is there a Microsoft supported method of having User accounts stored in Entra ID and those being used to access resources in the local Active Directory. This is similar in principle to the user domain and a resource domain concept. Our end result is to use our M365 accounts to access resources in local AD resources. without the requirement of needing local accounts.
Vasil Michev 119.6K Reputation points MVP Volunteer Moderator

2025-01-05T16:41:33.71+00:00

Not that I know of. While you can pulbish on-premises resources via Entra App proxy, users still need to have on-premises footprint to authenticate to published apps.
Tom Howarth 0 Reputation points

2025-01-05T17:42:02.79+00:00

So how exactly would companies that are born native in the cloud, and are making their first on-premises test environment handle this issue is there a way of effectively merging an EntraID M365 account with an Active directory account of the same UPN?

Cloud Sync really is a half backed product. Having all your accounts in EntraID and needing to access local Active Directory resources is a valid use-case, especially as more companies are Cloud born.

Migration is becoming less of a core focus.
Vasil Michev 119.6K Reputation points MVP Volunteer Moderator

2025-01-05T20:10:24.6833333+00:00

Once you have provisioned users on-premises, you can "match" them against cloud users based on several attributes. The easiest method is the so-called "soft match", which uses the UPN/Primary SMTP value, and is detailed here: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-existing-tenant#sync-with-existing-users-in-microsoft-entra-id

The methods apply to both Connect/cloud sync. Also, if you scroll down to the bottom of this article, you will see a confirmation that Entra Connect/Cloud sync cannot help you with on-premises account creation, and also a recommendation to use Entra Domain Services as an alternative to on-premises AD, which is basically "managed" AD in the cloud. Whether this is an acceptable alternative for your scenario I cannot tell.
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator

2025-01-08T17:14:48.3566667+00:00

Hello @Tom Howarth,

Just checking in to see if the below answer provided by @Vasil Michev helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Tom Howarth 0 Reputation points

2025-01-08T17:28:07.02+00:00

It is an answer, not the one I would like. Typical Microsoft, to develop a half-baked product, that does not support a massive use case that many of their users need.

Answer 2

@Tom Howarth

Thank you for posting this in Microsoft Q&A.

As Vasil Michev mentioned user writeback is not a feature in Cloud sync. There is only a feature for group writeback.

While using Group writeback feature, Cloud sync service only syncs groups from Entra ID to on-premises.

But users within groups are not synced as there is no user writeback feature.

The new, expanded version of group writeback is in public preview and enables the following capabilities:

You can write back Microsoft 365 groups as distribution groups, security groups, or mail-enabled security groups.
You can write back Microsoft Entra security groups as security groups.
All groups are written back with a group scope of Universal.
You can write back groups that have assigned and dynamic memberships.
You can configure directory settings to control whether newly created Microsoft 365 groups are written back by default.
Group nesting in Microsoft Entra ID will be written back if both groups exist in Active Directory.
Written-back groups nested as members of on-premises Active Directory synced groups will be synced up to Microsoft Entra ID as nested.
Devices that are members of writeback-enabled groups in Microsoft Entra ID will be written back as members of Active Directory. Microsoft Entra registered and Microsoft Entra joined devices require device writeback to be enabled for group membership to be written back.
You can configure the common name in an Active Directory group's distinguished name to include the group's display name when it's written back.
You can use the Microsoft Entra admin center, Graph Explorer, and PowerShell to configure which Microsoft Entra groups are written back.

However, if you are looking for a feature to writeback users to on-premises then you can submit feedback regarding this in our Azure feedback portal.

https://feedback.azure.com/d365community/idea/2f830ecc-ba25-ec11-b6e6-000d3a4f0789

There is already feedback submitted by other customers asking for this feature. you can upvote on this to put some weightage on this.

This feedback platform is directly handled by out PG team.

Let us know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator

2025-01-15T03:31:22.4166667+00:00

Hello @Tom Howarth,

Following up to see if the above explanation was helpful and you can submit your request on feedback forum. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator

2025-01-20T06:46:37.4133333+00:00

Hello @Tom Howarth,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

How do I sync my users from EntraID to my local Active Directory test domain using Cloud Connect.

2 answers

Your answer