Share via

Migrate on-prem security & mail enabled security groups to fully cloud managed ones

Maduranga Chandrasena 0 Reputation points
2025-05-05T03:20:19.46+00:00

Hi there,

Entra ID AD Sync is currently active in our environment, and all user accounts have been successfully migrated to Exchange Online.

 We are now transitioning existing Security Groups and Mail-Enabled Security Groups to fully cloud-managed equivalents (Currently, the source of those groups shows as "Windows Server AD"). These groups are currently used to control access to SharePoint as well as to support third-party synchronization services.

 Our objective is to migrate these groups without disrupting SharePoint access or interrupting the functionality of the sync services.

Could you please let me know how to proceed with this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,565 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshukatara-6769 15,435 Reputation points Moderator
    2025-05-05T03:42:22.6666667+00:00

    Hello , Welcome to MS Q&A

    To migrate your existing Security Groups and Mail-Enabled Security Groups to cloud-managed equivalents without disrupting SharePoint access or third-party synchronization services, you can consider using Microsoft Entra Cloud Sync. Here are some key points and steps to guide you through the process:

    Group Writeback with Microsoft Entra Cloud Sync: This feature allows you to manage on-premises Active Directory groups from the cloud. It supports scenarios like migrating Microsoft Entra Connect Sync group writeback to Microsoft Entra Cloud Sync.

    Supported Scenarios:

    • Migrate Microsoft Entra Connect Sync group writeback V2 to Microsoft Entra Cloud Sync.
      • Govern on-premises Active Directory-based apps using Microsoft Entra ID Governance.
      Configuration and Prerequisites: 
      - Ensure you have a Microsoft Entra account with at least a Hybrid Identity administrator role.

   - Your on-premises Active Directory should be running on Windows Server 2016 or later.

      - The provisioning agent must be able to communicate with domain controllers on specific ports (TCP/389 for LDAP and TCP/3268 for the global catalog).

      **Steps to Migrate**:

         - Disable Group Writeback V2 if currently in use, as mail-enabled groups and distribution lists revert to Group Writeback V1 behavior.

            - Use the provisioning agent to manage group memberships and ensure seamless access to applications.

    For more detailed guidance, you can refer to the Microsoft documentation on Group Writeback with Microsoft Entra Cloud Sync.

    Pls let me know if any further ques

    Kindly accept if it helps

    Thanks

    Deepanshu

  2. Akhilesh Vallamkonda 14,805 Reputation points Microsoft External Staff Moderator
    2025-05-09T16:10:26.6+00:00

    Hi @Maduranga Chandrasena

    I understand that you are trying to migrate on-prem security groups to Cloud only security groups.

    You can sync objects from on-prem AD to Entra ID but converting the objects like users and groups to Cloud only there is no direct option.
    To do this you need to stop the sync completely for the domain which will convert all the user accounts and groups to CLOUD ONLY.
    For more information, please read the below document.
    Turn off directory synchronization for Microsoft 365
    Hope this helps. If you still do not see enough information to isolate the issue, please let me know in the comment section.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.