Plan for Azure AD Connect group writeback

Group writeback allows you to write cloud groups back to your on-premises Active Directory instance by using Azure Active Directory (Azure AD) Connect sync. You can use this feature to manage groups in the cloud, while controlling access to on-premises applications and resources.

There are two versions of group writeback. The original version is in general availability and is limited to writing back Microsoft 365 groups to your on-premises Active Directory instance as distribution groups. The new, expanded version of group writeback is in public preview and enables the following capabilities:

  • You can write back Microsoft 365 groups as distribution groups, security groups, or mail-enabled security groups.
  • You can write back Azure AD security groups as security groups.
  • All groups are written back with a group scope of Universal.
  • You can write back groups that have assigned and dynamic memberships.
  • You can configure directory settings to control whether newly created Microsoft 365 groups are written back by default.
  • Group nesting in Azure AD will be written back if both groups exist in Active Directory.
  • Written-back groups nested as members of on-premises Active Directory synced groups will be synced up to Azure AD as nested.
  • Devices that are members of writeback-enabled groups in Azure AD will be written back as members of Active Directory. Azure AD-registered and Azure AD-joined devices require device writeback to be enabled for group membership to be written back.
  • You can configure the common name in an Active Directory group's distinguished name to include the group's display name when it's written back.
  • You can use the Azure AD admin portal, Graph Explorer, and PowerShell to configure which Azure AD groups are written back.

The new version is available only in Azure AD Connect version 2.0.89.0 or later. It must be enabled in addition to the original version.

This article walks you through activities that you should complete before you enable group writeback for your tenant. These activities include discovering your current configuration, verifying the prerequisites, and choosing the deployment approach.

Discover if group writeback is enabled in your environment

To discover if Azure AD Connect group writeback is already enabled in your environment, use the Get-ADSyncAADCompanyFeature PowerShell cmdlet. The cmdlet is part of the ADSync PowerShell module that's installed with Azure AD Connect.

Screenshot of Get-ADSyncAADCompanyFeature cmdlet.

UnifiedGroupWriteback refers to the original version. GroupWritebackV2 refers to the new version.

A value of False indicates that the feature is not enabled.

Discover the current writeback settings for existing Microsoft 365 groups

To view the existing writeback settings on Microsoft 365 groups in the portal, go to each group and select its properties.

Screenshot of Microsoft 365 group properties.

You can also view the writeback state via Microsoft Graph. For more information, see Get group.

Example: GET https://graph.microsoft.com/beta/groups?$filter=groupTypes/any(c:c eq 'Unified')&$select=id,displayName,writebackConfiguration

If isEnabled is null or true, the group will be written back.

If isEnabled is false, the group won't be written back.

Finally, you can view the writeback state via PowerShell by using the Microsoft Identity Tools PowerShell module.

Example: Get-mggroup -filter "groupTypes/any(c:c eq 'Unified')" | Get-MsIdGroupWritebackConfiguration

Discover the default writeback setting for newly created Microsoft 365 groups

For groups that haven't been created yet, you can view whether or not they'll be written back automatically.

To see the default behavior in your environment for newly created groups, use the directorySetting resource type in Microsoft Graph.

Example: GET https://graph.microsoft.com/beta/Settings

If a directorySetting value of Group.Unified doesn't exist, the default directory setting is applied and newly created Microsoft 365 groups will automatically be written back.

If a directorySetting value of Group.Unified exists with a NewUnifiedGroupWritebackDefault value of false, Microsoft 365 groups won't automatically be enabled for writeback when they're created. If the value is not specified or is set to true, newly created Microsoft 365 groups will automatically be written back.

You can also use the PowerShell cmdlet AzureADDirectorySetting.

Example: (Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"} | FL *).values

If nothing is returned, you're using the default directory settings. Newly created Microsoft 365 groups will automatically be written back.

If directorySetting is returned with a NewUnifiedGroupWritebackDefault value of false, Microsoft 365 groups won't automatically be enabled for writeback when they're created. If the value is not specified or is set to true, newly created Microsoft 365 groups will automatically be written back.

Discover if Active Directory has been prepared for Exchange

To verify if Active Directory has been prepared for Exchange, see Prepare Active Directory and domains for Exchange Server.

Meet prerequisites for public preview

The following are prerequisites for group writeback:

  • An Azure AD Premium 1 license
  • Azure AD Connect version 2.0.89.0 or later

An optional prerequisite is Exchange Server 2016 CU15 or later. You need it only for configuring cloud groups with an Exchange hybrid. For more information, see Configure Microsoft 365 Groups with on-premises Exchange hybrid. If you haven't prepared Active Directory for Exchange, mail-related attributes of groups won't be written back.

Choose the right approach

The right deployment approach for your organization depends on the current state of group writeback in your environment and the desired writeback behavior.

When you're enabling group writeback, you'll experience the following default behavior:

  • All existing Microsoft 365 groups will automatically be written back to Active Directory, including all Microsoft 365 groups created in the future. Azure AD security groups are not automatically written back. They must each be enabled for writeback.

  • Groups that have been written back won't be deleted in Active Directory if they're disabled for writeback or soft deleted. They'll remain in Active Directory until they're hard deleted in Azure AD.

    Changes made to these groups in Azure AD won't be written back until the groups are re-enabled for writeback or restored from a soft-delete state. This requirement helps protect the Active Directory groups from accidental deletion, if they're unintentionally disabled for writeback or soft deleted in Azure AD.

  • Microsoft 365 groups with more than 50,000 members and Azure AD security groups with more than 250,000 members can't be written back to on-premises.

To keep the default behavior, continue to the Enable Azure AD Connect group writeback article.

You can modify the default behavior as follows:

  • Only groups that are configured for writeback will be written back, including newly created Microsoft 365 groups.
  • Groups that are written to on-premises will be deleted in Active Directory when they're disabled for group writeback, soft deleted, or hard deleted in Azure AD.
  • Microsoft 365 groups with up to 250,000 members can be written back to on-premises.

If you plan to make changes to the default behavior, we recommend that you do so before you enable group writeback. However, you can still modify the default behavior if group writeback is already enabled. For more information, see Modify Azure AD Connect group writeback default behavior.

Understand limitations of public preview 

Although this release has undergone extensive testing, you might still encounter issues. One of the goals of this public preview release is to find and fix any issues before the feature moves to general availability.

Microsoft provides support for this public preview release, but it might not be able to immediately fix issues that you encounter. For this reason, we recommend that you use your best judgment before deploying this release in your production environment. 

These limitations and known issues are specific to group writeback:

  • Cloud distribution list groups created in Exchange Online cannot be written back to AD, only Microsoft 365 and Azure AD security groups are supported.

  • To be backwards compatible with the current version of group writeback, when you enable group writeback, all existing Microsoft 365 groups are written back and created as distribution groups, by default.

  • When you disable writeback for a group, the group won't automatically be removed from your on-premises Active Directory, until hard deleted in Azure AD. This behavior can be modified by following the steps detailed in Modifying group writeback

  • Group Writeback does not support writeback of nested group members that have a scope of ‘Domain local’ in AD, since Azure AD security groups are written back with scope ‘Universal’. If you have a nested group like this, you'll see an export error in Azure AD Connect with the message “A universal group cannot have a local group as a member.” The resolution is to remove the member with scope ‘Domain local’ from the Azure AD group or update the nested group member scope in AD to ‘Global’ or ‘Universal’ group.

  • Group Writeback only supports writing back groups to a single Organization Unit (OU). Once the feature is enabled, you cannot change the OU you selected. A workaround is to disable group writeback entirely in Azure AD Connect and then select a different OU when you re-enable the feature. 

  • Nested cloud groups that are members of writeback enabled groups must also be enabled for writeback to remain nested in AD.

  • Group Writeback setting to manage new security group writeback at scale is not yet available. You will need to configure writeback for each group. 

    If you have a nested group like this, you'll see an export error in Azure AD Connect with the message "A universal group cannot have a local group as a member." The resolution is to remove the member with the Domain local scope from the Azure AD group, or update the nested group member scope in Active Directory to Global or Universal.

  • Group writeback supports writing back groups to only a single organizational unit (OU). After the feature is enabled, you can't change the OU that you selected. A workaround is to disable group writeback entirely in Azure AD Connect and then select a different OU when you re-enable the feature. 

  • Nested cloud groups that are members of writeback-enabled groups must also be enabled for writeback to remain nested in Active Directory.

  • A group writeback setting to manage new security group writeback at scale is not yet available. You need to configure writeback for each group. 

Next steps