Group writeback in the Microsoft Entra admin center
Note
This article discusses how to perform operations in the Microsoft Entra admin center with regard to group writeback. For information on setup and configuration see Provision groups to Active Directory using Microsoft Entra Cloud Sync (Preview)
With the release of provisioning agent 1.1.1370.0, Cloud Sync now has the ability to provision groups directly to your on-premises Active Directory environment. With this capability, you can use identity governance features to govern access to Active Directory-based applications. For example, you can include a group in an entitlement management access package. This is currently in public preview.
For more information, see Group provisioning to Active Directory and Govern on-premises Active Directory-based apps (Kerberos) using Microsoft Entra ID Governance (preview).
Important
The public preview of Group Writeback v2 in Microsoft Entra Connect Sync will no longer be available after June 30, 2024. This feature will be discontinued on this date, and you will no longer be supported in Connect Sync to provision cloud security groups to Active Directory. The feature will continue to operate beyond the discontinuation date; however, it will no longer receive support after this date and may cease functioning at any time without notice.
We offer similar functionality in Microsoft Entra Cloud Sync called Group Provision to Active Directory that you can use instead of Group Writeback v2 for provisioning cloud security groups to Active Directory. We're working on enhancing this functionality in Cloud Sync along with other new features that we're developing in Cloud Sync.
Customers who use this preview feature in Connect Sync should switch their configuration from Connect Sync to Cloud Sync. You can choose to move all your hybrid sync to Cloud Sync (if it supports your needs). You can also run Cloud Sync side by side and move only cloud security group provisioning to Active Directory onto Cloud Sync.
For customers who provision Microsoft 365 groups to Active Directory, you can keep using Group Writeback v1 for this capability.
You can evaluate moving exclusively to Cloud Sync by using the user synchronization wizard.
If you're using Microsoft Entra Connect Sync Group Writeback v2, you need to move to Cloud Sync provisioning to Active Directory before you can take advantage of Cloud Sync group provisioning. For more information, see Migrate Microsoft Entra Connect Sync Group Writeback v2 to Microsoft Entra Cloud Sync.
Note
If you were previously writing Microsoft 365 groups back to on-premises Active Directory as universal distribution groups, they appear in the Azure portal as not enabled for writeback on both the Groups page and the properties page for a group. These pages display a new property introduced for the preview, writeback enabled. This property isn't set by the current version of Group Writeback to ensure backward compatibility with the legacy version of Group Writeback and to avoid breaking existing customer setups.
To understand the behavior of No writeback in the portal, you can view the writeback state via Microsoft Graph. For more information, see Get group.
| Portal | Microsoft Graph | Behavior |
|---|---|---|
| Writeback | isEnabled = null or true | The group will be written back. |
| No writeback | isEnabled = false | The group won't be written back. |
| No writeback | IsEnabled = null & onPremisesGroupType = null | If it's a Microsoft 365 group, it's written back to on-premises Active Directory as a distribution group. If it's a Microsoft Entra security group, it's written back to on-premises Active Directory. |
By default, the Group writeback state of groups is set to No writeback. This means:
- Microsoft 365 groups: If the group is
IsEnabled = nullandonPremisesGroupType = null, to ensure backward compatibility with older versions of Group Writeback, the group is written back to on-premises Active Directory as a distribution group. - Microsoft Entra security groups: If the group is
IsEnabled = nullandonPremisesGroupType = null, the group is written back to on-premises Active Directory.
Show writeback columns
On the All groups overview page, you can add the group writeback columns Target writeback type and Writeback enabled to the view. The Target writeback type and Writeback enabled columns are available for the view whether or not you have writeback enabled in Microsoft Entra Connect.
Writeback column settings
The Writeback enabled column allows you to turn off the writeback capability for individual groups. The Target writeback type column allows you to specify to which group type you want this cloud group written back in on-premises Active Directory. For a Microsoft Entra Microsoft 365 group, you can write it back as a security group, a distribution group, or a mail-enabled security group. For a Microsoft Entra security group, you can write it back only as a security group.
Writeback settings in group properties
You can also configure writeback settings for a group on the property page for the group. There's a Group writeback state setting that allows you to turn off writeback for the group or to specify the writeback group type. When No writeback is selected, the group isn't written back. If you select one of the other writeback types as an option (for example, security), then you have:
- Enabled the group for writeback.
- Targeted the writeback type as a security group.
Read the writeback configuration by using PowerShell
You can use PowerShell to get a list of writeback-enabled groups by using the following PowerShell Get-MgGroup cmdlet.
Connect-MgGraph -Scopes @('Group.Read.all')
Select-MgProfile -Name beta
PS D:\> Get-MgGroup -All |Where-Object {$_.writebackConfiguration.isEnabled -Like $true} |Select-Object Displayname,@{N="WriteBackEnabled";E={$_.writebackConfiguration.isEnabled}}
DisplayName WriteBackEnabled
----------- ----------------
CloudGroup1 True
CloudGroup2 True
Read the writeback configuration by using Graph Explorer
Open Microsoft Graph Explorer and use the endpoint https://graph.microsoft.com/beta/groups/{Group_ID}.
Replace the group ID with a cloud group ID, and then select Run query. On the Response Preview, scroll to the end to see the part of the JSON file.
"writebackConfiguration": {
"isEnabled": true,
...
}
Next steps
- Check out the group's REST API documentation for the preview writeback property on the settings template.
- For more information about group writeback operations, see Microsoft Entra Connect group writeback.
- For more information about the
writebackConfigurationresource, seewritebackConfigurationresource type.