Group writeback permit to write Azure Group on Active Directory OnPrem. For this operation, Azure AD Connect Sync is used.
The following limitation must be taken into account when Group writeback is implemented.
- Microsoft 365 groups can be written as Active Directory Distribution groups or Active Directory Security groups.
- Azure AD Security groups can be written only as Security groups.
- All groups written in Active Directory must have Universal scope.
- Azure AD groups can be assigned or dynamic groups.
- Group nesting in Azure AD can be written if both groups exist in AD.
- If the device is member of the Azure AD Group, this device is member of the Active Directory Groups.
Verify the version of Azure AD Connect
Before to set up Azure AD Group writeback, it’s recommended to verify the version of Azure AD Connect. From the Azure AD Connect server, open Powershell Prompt and import the ADSync powershell module with the following command.
Run the following command to verify the version of the Azure AD Connect Sync
(Get-ADSyncGlobalSettings).Parameters | select Name,Value
Verify the version of Azure AD Connect. The version must be equal or greater than 126.96.36.199.
if it’s not equal or greater, update the version of Azure AD Connect.
Verify if Azure AD Writeback is enabled
Before to enabled Group writeback, you must verify if the feature is enabled. This verification can be perfomed with powershell or Azure AD portal.
From the Azure AD Connect server, import ADSync powerhsell module. Run the following command to import the module.
Run the following command to verify if Group writeback is enabled.
If the value is False you must enable the feature.
With Azure Active Directory portal
From the Azure Portal (aad.portal.azure.com), select the groups. Click on Properties then verify the value of Group writeback state.
Enable Group Writeback
From the Azure AD Connect server, open Azure AD Connect setup wizard (double click on the icon on the desktop) and click on Configure.
Click on Customize synchronization options then click on Next.
Enter the password of the Azure AD account then check Group writeback.
Select the destination organizational unit synchronized by Azure AD Connect. If you select an unsynchronized OU, an error message appears.
Enter credential of Enterprise Admin Username and click on Next.
Click on Configure to launch configuration and begin synchronization.
The group has been synchronized.
You can see the groups on Active Directory Users and Computers.
In Azure Active Directory, I can choose the the Group writeback state. When the Azure AD Connect launch synchronization, the goup is written in Active Directory