Couple of Questions on Application Groups created at Azure AD

Mathew James 356 Reputation points

All - I have the following doubts :-

1) When I create an Application Group in Azure AD directly (using the portal), Will that group be Synced automatically with on-premise AD by any chance ? (In fact we do not want to get that Synced with on-premise AD)

2) We are planning to utilize MS Graph APIs to add members to Azure AD created Application group by giving permissions like

My Question How can I convince my organization's Identity Access Management team that by using the Graph API with the with the above permission, I will be doing the Read write operations only to the Azure AD created Application Groups and not to On-premise created Groups.

Our requirement is we just need permissions for Graph API to do the management only for the Azure AD only created groups & roles (and not to on-prem AD groups & Roles). Are there any specific Graph API roles which can do this ?

Appreciate your response.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,225 questions
0 comments No comments
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee

    @Mathew James Thanks for reaching out.
    1) The groups are not written back unless you explicitly allow them while Azure AD connect setup. (This also need that you must have a on-prem Exchange setup).
    Read more here :


    2) Microsoft Graph can only make changes to the resources which were created in Azure AD. (
    This is also mentioned in above article :



    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 additional answers

Sort by: Most helpful