Manage groups with directory synchronization

Completed

Once an organization implements directory synchronization between its on-premises AD and Microsoft Entra ID, it must manage all group membership in its on-premises Active Directory. Organizations can run either Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync to implement directory synchronization. After an organization implements directory synchronization, the source of authority for its users and group membership reverts back to the on-premises Active Directory.

Directory synchronization is similar for both users and groups in Microsoft 365. As with users, Microsoft 365 synchronizes groups and their membership in Active Directory from on-premises AD to Microsoft Entra ID. And similar to the user writeback feature, group writeback also writes Microsoft 365 groups from Microsoft Entra ID back to on-premises AD.

Group writeback in Microsoft Entra Connect Sync

Group writeback is an optional feature in Microsoft Entra Connect Sync. Organizations must complete the following steps to enable group writeback in Microsoft Entra Connect Sync:

  • Run Exchange 2013 CU8 or later, or Exchange 2016 to recognize this new group type.
  • Create the OU and appropriate permissions required for group writeback in on-premises Active Directory. To complete this task, Microsoft Entra Connect Sync has a built-in cmdlet, Initialize-ADSyncGroupWriteBack, which automatically prepares Active Directory.

After the sync process finishes, Microsoft 365 groups appear in the on-premises container selected by the Microsoft 365 administrator during the configuration. These groups also appear as distribution groups in the on-premises Active Directory.

Note

The Group writeback feature doesn't involve security groups or distribution groups.

An organization's on-premises Exchange Global Address List doesn't immediately show the synchronized groups. However, you can run Exchange PowerShell commands using any of the following cmdlets to quickly make them available:

  • Update-Recipient
  • Update-AddressList
  • Update-GlobalAddressList

Warning

You can run either the Update-AddressList or Update-GlobalAddressList cmdlet to force the synchronized groups to appear. Keep in mind, however, that these cmdlets require more cycles on the servers running Exchange Server.

When directory synchronization synchronizes groups from Microsoft Entra ID to on-premises Active Directory, it also synchronizes their group membership. However, it only does so if the organization created the user accounts in the on-premises AD. Synchronization doesn't include user accounts created in Microsoft Entra ID in group membership. When directory synchronization synchronizes a group, it fills the name attribute of the synchronized group with the ObjectGUID attribute instead of a humanly readable name.

Additional reading. For more information, see Microsoft Entra Connect Sync group writeback.

The following graphic shows that new Microsoft 365 groups receive a distribution list on-premises for routing purposes whenever an organization enables group writeback.

Diagram shows that when an organization activates group writeback, new Microsoft 365 groups receive a distribution list on-premises.

Group writeback in Microsoft Entra Cloud Sync (Preview)

Previously, Microsoft Entra Cloud Sync didn't support group writeback. However, with the release of provisioning agent 1.1.1370.0, Microsoft Entra Cloud Sync now has the ability to perform group writeback. This feature means that Microsoft Entra Cloud Sync can provision groups directly to your on-premises Active Directory environment. For more information on this new feature and the updates that are available in its upcoming release schedule, see Group writeback with Microsoft Entra Cloud Sync (Preview).