But the Functionality Might Not Appear What It Seems
On July 6, Microsoft announced the public preview of Azure AD Group Writeback. In a nutshell, the new capability allows Azure AD Connect to write back Microsoft 365 Groups to on-premises Active Directory groups as a distribution list, security group, or mail-enabled security group. As is usual with announcements of this nature, it created several questions. In this article, I want to explain some higher-level details about the new feature.
To set the scene, here are two Microsoft articles and a how-to article by Identity Man that explain the basics of the new functionality:
- Azure AD Connect: Group Writeback.
- Group writeback portal operations (preview) in Azure Active Directory.
- Using the new Group Writeback functionality in Azure AD.
What Azure AD Connect Does Now
The best way to think of how Azure AD Connect works now is that it uses two one-way syncs.
- On-premises user, group, and computer objects from Active Directory (AD) to Azure AD (AAD), The Active Directory object remains the authoritative source, meaning updates can only be made in Active Directory.
- The new Azure (AAD) Group Writeback synchronizes security and Microsoft 365 groups created in Azure AD to Active Directory in a specific target OU (Organizational Unit) of your choice, Azure AD remains the authoritative source for updates to these groups.
Taking these rules into account, here are some practical examples of where you might assume that something is possible when it isn’t.
First, it seems that you can update a newly synchronized group in Active Directory (AD). However, this isn’t true because within 30 minutes AAD Connect removes the changes made to the groups (once the delta runs). You can see details of these operations in the AAD Connect logs.
Second, after adding two new columns (Target writeback type, Writeback enabled) to the All Groups view in the Azure portal, it appears that you can change the writeback type for a synchronized Active Directory from “No” to “Yes” (like the DL30 group shown in Figure 1). However, if you do this, you will get the error: ”Failed to update group, Unable to complete due to service connection error. Please try again later” (see Figure 2). This is because the Active Directory (group remains the authoritative source for that object that Azure AD cannot modify.
The point is that Azure AD Group Writeback does NOT enable a bi-directional synchronization of Active Directory groups. It is an extremely difficult task to retain the source of authority in two different systems. Even though Active Directory objects synchronized to Azure AD appear to be the same object, they are in fact two separate, distinct, different objects in two different directories. AAD Connect simply replicates the attributes of those objects from one directory to the other to make the objects appear to be the same in both directories.
Azure AD Group Writeback will also not solve the issue of updating a Distribution List using Outlook after an on-premises Exchange mailbox moves to Exchange Online. Outlook can update Distribution List membership when the mailbox was in Exchange on-premises but can’t after a mailbox migration to Exchange Online. This issue remains and is not solved by Azure AD Group Writeback.
One Step Forward
Azure AD Group Writeback has its uses and benefits for the transition from Active Directory (AD) dependence to Azure AD. It is another important step to enabling organizations to move closer to Cloud Only identities based on Azure AD. That road is a journey. This is just one step along the way.
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.
great article, sir!
Appreciate the feedback, I think Group Writeback is a good start and excited to see what comes next as Azure AD becomes the authoritative source of truth.
Thanks, very helpful!