Couple of Questions on Application Groups created at Azure AD

Question

All - I have the following doubts :-

1) When I create an Application Group in Azure AD directly (using the portal), Will that group be Synced automatically with on-premise AD by any chance ? (In fact we do not want to get that Synced with on-premise AD)

2) We are planning to utilize MS Graph APIs to add members to Azure AD created Application group by giving permissions like https://graph.microsoft.com/GroupMember.ReadWrite.All.

My Question How can I convince my organization's Identity Access Management team that by using the Graph API with the with the above permission, I will be doing the Read write operations only to the Azure AD created Application Groups and not to On-premise created Groups.

Our requirement is we just need permissions for Graph API to do the management only for the Azure AD only created groups & roles (and not to on-prem AD groups & Roles). Are there any specific Graph API roles which can do this ?

Appreciate your response.

Thanks!
-Mathew

Answer 1

@Mathew James Thanks for reaching out.
1) The groups are not written back unless you explicitly allow them while Azure AD connect setup. (This also need that you must have a on-prem Exchange setup).
Read more here : https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-group-writeback

2) Microsoft Graph can only make changes to the resources which were created in Azure AD. (https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http)
This is also mentioned in above article :

-----------------------------------------------------------------------------------------------------------------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.