Provisioning to Active Directory with Microsoft Entra Cloud Sync FAQ

Yes, You can use Microsoft Entra Cloud Sync solely for Security Group Provisioning to AD while simultaneously using Connect Sync for syncing AD to Microsoft Entra ID. Any cloud security group that includes users synchronized from AD via Microsoft Entra Connect Sync can be provisioned to Active Directory using Microsoft Entra Cloud Sync and Group Provisioning to AD.

For instance, if there are two users (User A and User B) who are Active Directory Domain Services users and have been synchronized with Microsoft Entra Connect Sync to Microsoft Entra ID, you can create a cloud security group in Microsoft Entra ID called SecurityGroup A. This group can then be provisioned back to AD DS using Microsoft Entra Cloud Sync - Group Provisioning to Active Directory.

Yes, when you uninstall or disable Group Writeback V2 from your Connect Sync configuration, it defaults to Group Writeback V1. This default supports the ability to write back all Microsoft 365 groups in Microsoft Entra ID.

When you disable Group Writeback V1, the next full sync deletes all the groups that are written by Microsoft Entra Connect Sync to AD. Cloud Security Groups provisioned using Microsoft Entra Cloud Sync won’t be impacted by this operation.

No, this field isn't currently used for determining the scope of groups being provisioned to AD using Cloud Sync. You have to use the Microsoft Entra Cloud Sync configuration experience in the portal to set scope. For more information, see Using directory extensions with group provisioning to Active Directory.

No, following the migration steps for moving from group writeback V2 to Microsoft Entra cloud sync will not affect synchronization between AD and Microsoft Entra ID.

Next steps

• What is provisioning?
• What is Microsoft Entra Cloud Sync?