Azure AD – Group writeback

Azure AD – Group writeback

Azure AD - Group writeback

Group writeback permit to write Azure Group on Active Directory OnPrem. For this operation, Azure AD Connect Sync is used.

Limitation

The following limitation must be taken into account when Group writeback is implemented.

  • Microsoft 365 groups can be written as Active Directory Distribution groups or Active Directory Security groups.
  • Azure AD Security groups can be written only as Security groups.
  • All groups written in Active Directory must have Universal scope.
  • Azure AD groups can be assigned or dynamic groups.
  • Group nesting in Azure AD can be written if both groups exist in AD.
  • If the device is member of the Azure AD Group, this device is member of the Active Directory Groups.

Verify the version of Azure AD Connect

Before to set up Azure AD Group writeback, it’s recommended to verify the version of Azure AD Connect. From the Azure AD Connect server, open Powershell Prompt and import the ADSync powershell module with the following command.

Import-Module ADSync
Azure AD - Group writeback - Import module ADSync

Run the following command to verify the version of the Azure AD Connect Sync

(Get-ADSyncGlobalSettings).Parameters | select Name,Value

Verify the version of Azure AD Connect. The version must be equal or greater than 2.0.89.0.

Azure AD - Group writeback - Verify the version of Azure AD Writeback

if it’s not equal or greater, update the version of Azure AD Connect.

Verify if Azure AD Writeback is enabled

Before to enabled Group writeback, you must verify if the feature is enabled. This verification can be perfomed with powershell or Azure AD portal.

With Powershell

From the Azure AD Connect server, import ADSync powerhsell module. Run the following command to import the module.

Import-Module ADSync
Azure AD - Group writeback - Import module ADSync

Run the following command to verify if Group writeback is enabled.

Get-ADSyncAADCompanyFeature

If the value is False you must enable the feature.

With Azure Active Directory portal

From the Azure Portal (aad.portal.azure.com), select the groups. Click on Properties then verify the value of Group writeback state.

Verify writeback with Azure AD Portal

Enable Group Writeback

From the Azure AD Connect server, open Azure AD Connect setup wizard (double click on the icon on the desktop) and click on Configure.

Open Azure AD connect setup wizard

Click on Customize synchronization options then click on Next.

Select Customize synchronization options

Enter the password of the Azure AD account then check Group writeback.

Enable Group writeback

Select the destination organizational unit synchronized by Azure AD Connect. If you select an unsynchronized OU, an error message appears.

Select destination organization unit

Enter credential of Enterprise Admin Username and click on Next.

Configure Enterprise Admin Username

Click on Configure to launch configuration and begin synchronization.

Start the synchronisation between AD and AAd

The group has been synchronized.

Synchronization has been processed

You can see the groups on Active Directory Users and Computers.

Active Directory groups

In Azure Active Directory, I can choose the the Group writeback state. When the Azure AD Connect launch synchronization, the goup is written in Active Directory

Select Group writeback state
The group is sync in AD

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.