Group writeback for Microsoft 365 groups
Important
The public preview of Group Writeback v2 in Microsoft Entra Connect Sync is no longer available as of June 30, 2024. This feature was discontinued on this date, and you're no longer supported in Microsoft Entra Connect Sync to provision cloud security groups to Active Directory. The feature continues to operate beyond the discontinuation date; however, it no longer receives support and might cease functioning at any time without notice.
We offer similar functionality in Microsoft Entra Cloud Sync called Group Provision to Active Directory that you can use instead of Group Writeback v2 for provisioning cloud security groups to Active Directory. We're working on enhancing this functionality in Microsoft Entra Cloud Sync along with other new features that we're developing in Microsoft Entra Cloud Sync.
Customers who use this preview feature in Microsoft Entra Connect Sync should switch their configuration from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync. You can choose to move all your hybrid sync to Microsoft Entra Cloud Sync (if it supports your needs). You can also run Microsoft Entra Cloud Sync side by side and move only cloud security group provisioning to Active Directory onto Microsoft Entra Cloud Sync.
For customers who provision Microsoft 365 groups to Active Directory, you can keep using Group Writeback v1 for this capability.
You can evaluate moving exclusively to Microsoft Entra Cloud Sync by using the user synchronization wizard.
Group writeback is a feature that allows you to write cloud groups back to your on-premises Active Directory instance by using Microsoft Entra Connect Sync. Group writeback V2 using Microsoft Entra Connect has been deprecated. Group writeback V1 using Microsoft Entra Connect still functions and should be used if you are synchronizing Microsoft 365 groups. This version of group writeback is being replaced with Microsoft Entra Connect Cloud Sync group provisioning to Active Directory. However, the V1 functionality will continue to work until Microsoft Entra Connect cloud sync supports synchronizing Microsoft 365 groups.
This article provides information and walks you through enabling group writeback V1.
Important
This article describes how to enable group writeback V1 with Microsoft Entra Connect Sync. It should only be used by customers who provision Microsoft 365 groups to Active Directory.
Prerequisites and information
The following prerequisites must be met in order to enable group writeback.
- Azure Active Directory Premium licenses for your tenant.
- A configured hybrid deployment between your Exchange on-premises organization and Microsoft 365 and verified it's functioning correctly.
- Installed a supported version of Exchange on-premises
- Configured single sign-on using Azure Active Directory Connect
The following information should be taken into consideration when using group writeback V1 with Microsoft Entra Connect Sync:
- Microsoft 365 groups with up to 250,000 members can be written back to on-premises.
- If you don't want to write back all existing Microsoft 365 groups to Active Directory, you need to make changes to group writeback default behavior before performing the steps in this article to enable the feature. See Modify Microsoft 365 groups.
Enable group writeback
To enable group writeback, use the following steps:
- Open the Azure AD Connect wizard, select Configure, and then click Next.
- Select Customize synchronization options and then click Next.
- On the Connect to Azure AD page, enter your credentials. Click Next.
- On the Optional features page, verify that the options you previously configured are still selected.
- Select Group writeback and then click Next.
- On the Writeback page, select an Active Directory organizational unit (OU) to store objects that are synchronized from Microsoft 365 to your on-premises organization, and then click Next.
- To make it easier to find groups being written back from Microsoft Entra ID to Active Directory, there's an option to write back the group distinguished name by using the cloud display name:
Default format:
CN=Group_3a5c3221-c465-48c0-95b8-e9305786a271, OU=WritebackContainer, DC=domain, DC=comNew format:
CN=Administrators_e9305786a271, OU=WritebackContainer, DC=domain, DC=com
When you're configuring group writeback, a checkbox appears at the bottom of the configuration window. Select it to enable this feature.
Note
Groups being written back from Microsoft Entra ID to Active Directory will have a source of authority in the cloud. Any changes made on-premises to groups that are written back from Microsoft Entra ID will be overwritten in the next sync cycle.
- On the Ready to configure page, click Configure.
- When the wizard is complete, click Exit on the Configuration complete page.
- Open the Windows PowerShell as an Administrator on the Microsoft Entra Connect server, and run the following commands.
$AzureADConnectSWritebackAccountDN = <MSOL_ account DN>
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
# To grant the <MSOL_account> permission to all domains in the forest:
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN $AzureADConnectSWritebackAccountDN
# To grant the <MSOL_account> permission to specific OU (eg. the OU chosen to writeback Office 365 Groups to):
$GroupWritebackOU = <DN of OU where groups are to be written back to>
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN $AzureADConnectSWritebackAccountDN -ADObjectDN $GroupWritebackOU
For additional information on configuring the Microsoft 365 groups, see Configure Microsoft 365 Groups with on-premises Exchange hybrid.
Disable group writeback
To disable Group Writeback, use the following steps:
- Launch the Azure Active Directory Connect wizard and navigate to the Additional Tasks page. Select the Customize synchronization options task and click next.
- On the Optional Features page, uncheck group writeback. You will receive a warning letting you know that groups will be deleted. Click Yes.
Important
Disabling Group Writeback will cause any groups that were previously created by this feature to be deleted from your local Active Directory on the next synchronization cycle.
- Click Next.
- Click Configure.
Note
Disabling Group Writeback will set the Full Import and Full Synchronization flags to 'true' on the Azure Active Directory Connector, causing the rule changes to propagate through on the next synchronization cycle, deleting the groups that were previously written back to your Active Directory.
Modifying default behavior for Microsoft 365 groups
The following sections will provide guidance on how to modify the default behavior for Microsoft 365 groups.
Write back Microsoft 365 groups with up to 250,000 members
Because the default sync rule that limits the group size is created when group writeback is enabled, you must complete the following steps after you enable group writeback:
- On your Microsoft Entra Connect server, open a PowerShell prompt as an administrator.
- Disable the Microsoft Entra Connect Sync scheduler:
Set-ADSyncScheduler -SyncCycleEnabled $false
- Open the synchronization rule editor.
- Set the direction to Outbound.
- Locate and disable the Out to AD – Group Writeback Member Limit synchronization rule.
- Enable the Microsoft Entra Connect Sync scheduler:
Set-ADSyncScheduler -SyncCycleEnabled $true
Note
Disabling the synchronization rule will set the flag for full synchronization to true on the Microsoft Entra connector. This change will cause the rule changes to propagate through on the next synchronization cycle.