The Latest Azure AD Group Writeback Improvements Offer More Flexibility

Exchange admins have enjoyed the Group writeback optional feature in Azure AD Connect for a long time. It offers add-on functionality to Microsoft 365 Groups in Azure AD for organizations that use both Active Directory and Azure AD in a Hybrid Exchange setup.

About Group writeback

When Group writeback is enabled, Microsoft 365 groups are written back to Active Directory as universal distribution groups. This way, people in your organization with mailboxes on on-premises implementations of Exchange Server 2013 Cumulative Update 8, Exchange Server 2016 Cumulative Update 1, and newer versions of Exchange Server, can send email messages to these groups and receive email messages from these groups.

Limitations

From the get-go, group writeback had some limitations:

• All writeback features require Azure AD Premium P1 licenses or a Microsoft license that includes the P1 license, such as Azure AD Premium P2, EMS E3, EMS A3, Microsoft 365 E3, Microsoft 365 E5, and Microsoft 365 Business Premium licenses.
• Group writeback is limited to writing back Microsoft 365 groups (in Azure AD) to universal distribution groups (in Active Directory)
• Only people with accounts that have the Global administrator role, or the Hybrid Identity administrator role assigned and savvy with Azure AD Connect can manage Group writeback.
• If an Active Directory forest does not have its schema extended with Exchange Server schema extensions, it is not eligible for the Group writeback feature, and the option will be grayed out in Azure AD Connect.

Earlier improvements

Some other limitations have been addressed since Azure AD Connect version 2.0.88.0 (released on December 15, 2021), like the ability to writeback groups with their displayName attributes as the name of the written back group instead of a GUID and the dropped requirement for the Exchange Server schema. 

New features

Now, Microsoft is removing even more of the above limitations, in Public Preview since July 1, 2022:

Write back more group types to more group types

Admins can now write back groups with more flexibility. Microsoft 365 groups can be written back as distribution groups, security groups or mail-enabled security groups. Azure AD-based security groups can also now be written back, obviously only as security groups.

The below table show the opportunities:

All written back groups are universal groups

Please note that all groups that are written back have the universal scope. This accommodates for organizations that synchronize multiple Active Directory forests to one Azure AD tenant.

Email features still require Exchange Server Hybrid

Also, to write back the email components for distribution groups and/or mail-enabled security groups, an Exchange Server Hybrid setup needs to be available and Exchange Server needs to run Exchange Server 2016 cumulative update 15, or a newer version of Exchange Server.

Configure granular writeback settings

Admins can now configure groups to write back using the Azure AD admin portal, the Entra admin portal and through the Microsoft Graph.

What this looks like

For this purpose, two additional columns can be added to the view on the Groups page: Target writeback type and Writeback enabled. The Writeback enabled column allows admins to turn off the writeback capability per group. The Target writeback type column allows admins to specify to which group type they want the cloud group written back to. These properties also bring a corresponding new field in the properties page for a group: the Group writeback state field.

Elevating the Group Administrator role to new heights

This also means, that persons with accounts with the Group admin role, can now manage group writeback, after a person with an account that has the Global administrator role or the Hybrid Identity administrator role assigned has enabled the Group writeback option in Azure AD Connect.

Why this matters

In some situations, the previous limitations held back organizations from embracing Group writeback.

Written back groups can be used to govern access

When a distribution group was the only group that could be written back, it was merely useful for Exchange admins. Now, that security group can be written back, access lists in the on-premises environment can be filled with cloud groups. All the cloud goodness for groups – Dynamic groups, self-service group management, group expiration, Access Reviews and Access Packages come to mind – can now be used to govern access. Both on-premises and in the cloud.

Less people may need the Global Administrator role

Now that the Group Administrator role gains some serious punch, it might help organizations who were held back by the role requirements to use Group writeback. In large and complex organizations, adhering to Microsoft’s recommendation for assigning merely five accounts to the Global Administrator role is hard. Having a useful Group Administrator role is a good change that surely adds to the adoption of role delegation in Azure AD.

No need to manage Azure AD Connect that much

Azure AD Connect is also not the easiest Microsoft product to fathom, so no longer needing to fiddle with it (and any other Staging Mode Azure AD Connect installations) to manage Group Writeback is a welcome change for most organizations.

What you need (to know)

These new features come with some caveats, though:

You’ll need Azure AD Connect v2.0.89.0, or above

To use the new Group writeback features, all Azure AD Connect installations in use by the organization need to run at least version 2.0.89.0 (released on December 22, 2022) and needs to be configured with the Group writeback optional feature. This includes any Staging Mode servers.

Previously written back groups are exempt

If you were previously writing back Microsoft 365 groups, they will appear in the Azure portal as not enabled for writeback on both the Groups page and in the properties page for a group. This is to ensure backward compatibility with the previous version of Group writeback and to avoid breaking setups organizations may currently have.

Limited to one Organizational Unit on-premises

When enabling the Group writeback feature in Azure AD Connect, an Organizational Unit (OU) needs to be selected. There are no changes here. This means that all written back groups will be written back to one OU.

The feature needs to be enabled manually

To use the new Group writeback features, the GroupWritebackV2 feature needs to be enabled. For this, run the following line of Windows PowerShell from a server with Azure AD Connect installed:

Set-ADSyncAADCompanyFeature -GroupWritebackV2 $true

Then, perform a full synchronization cycle:

Start-ADSyncSyncCycle -PolicyType Initial

After you enable the feature, the features in the Azure Portal become available.

What this means

Available in Public Preview

These new Group writeback settings are available as public preview. As long as these settings are not generally available (GA), Microsoft might pull back the functionality. Some organizations have a policy to wait for GA for Azure (AD) functionality, specifically for this reason. Azure AD Baseline Conditional Access policies was a recent feature that got scrapped and folded into Security Defaults.

On the other hand, there are a lot of features that have been in public preview, for ages it seems. OATH hardware tokens have been in public preview since October 2018, so at a certain point you may want to adopt certain public preview features.

Active Directory may be reduced to a mere account store

When your organization decides to embrace this functionality, what your organizations would effectively embrace is Azure AD’s group functionality to manage Active Directory groups. It diminishes the value of any group provisioning and deprovisioning solutions in favor of Azure AD. It may reduce Active Directory further into just one of the account stores in your organization, but it might also remove some of the complexity that has been in networks for ages. If that doesn’t apply to your organization, at least the added flexibility is welcome.

On-premises group limits still apply

When writing back groups, it’s good to keep in the back of your head that when a non-admin user account in Active Directory is a member of over 1015 groups, sign-ins fail, because of a limit in the number of sIDs in the Kerberos token. You might start to run into this issue. ENow Software's award winning Active Directory monitoring and reporting solution offers built-in reports that allow admins to keep tabs on the number of groups a user account is a member of.