Group Provisioning to Active Directory
Group provisioning to AD is a Cloud Sync capability that writes security groups from Entra ID back to on-premises Active Directory. This is distinct from Connect Sync’s group writeback feature, and it is available exclusively in Cloud Sync.
This capability supports scenarios where Entra ID is the source of authority for group management, but on-premises applications still need AD security groups for access control (e.g., Kerberos-based apps).
What It Does
Cloud Sync can provision cloud-originated security groups to AD. When a security group is created or updated in Entra ID, Cloud Sync creates a corresponding group in a target OU in Active Directory and maintains its membership.
The key distinction is source of authority (SOA):
- Groups whose SOA is in the cloud are eligible for provisioning to AD.
- Groups whose SOA is on-premises (synced from AD to Entra ID) are not provisioned back - they are already managed on-premises.
- Only synced user members (users with an
onPremisesObjectIdentifier) are included as group members in AD. Cloud-only users are skipped because they have no corresponding AD object.
Configuration
Prerequisites
- Cloud Sync provisioning agent version 1.1.1370.0 or later.
- A target OU in AD where groups will be created.
- Users who will be group members must already be synced between AD and Entra ID (either via Cloud Sync or Connect Sync) so they have the
onPremisesObjectIdentifierattribute set.
Setup Steps
- In the Entra admin center, go to Cloud sync > New configuration.
- Select Microsoft Entra ID to AD sync (not AD to Entra ID).
- Choose your domain and select Create.
- Under Scoping filters, set Groups scope to Selected security groups. This is the recommended default to avoid performance issues.
- Configure the Target container - the OU where groups will be created. Three approaches:
- Constant mapping: All groups go to the same OU (simplest).
- Expression-based: Use a
Switch()expression ondisplayNameto route groups to different OUs. - Extension attribute: Use a custom extension attribute (
GroupDN) to preserve the original OU path when re-provisioning converted SOA groups.
- Select Review and enable > Enable configuration.
Testing
Use on-demand provisioning to test before enabling the full configuration:
- Select Provision on demand.
- Enter the group name in Selected group.
- Select up to five member users to test.
- Select Provision and verify the group appears in AD.
Note: On-demand provisioning does not automatically provision all members. You select specific members to test, with a limit of five per request.
Source of Authority Behavior
Understanding SOA behavior is critical for group provisioning:
| Group SOA | User Member SOA | Provisioning Behavior |
|---|---|---|
| Cloud | On-premises | Group provisioned with all member references |
| Cloud | Cloud | Group provisioned, but no member references (cloud users have no AD object) |
| Cloud | Mixed | Group provisioned, only on-premises members included |
| Cloud | None (empty group) | Group provisioned as empty |
| On-premises | Any | Group not provisioned (already managed on-premises) |
SOA Conversion
When you convert a group’s SOA from on-premises to cloud, it becomes eligible for group provisioning to AD. Cloud Sync matches it to the existing AD group and updates it.
If you roll back the SOA conversion (back to on-premises), Cloud Sync stops syncing the group but does not delete it from AD. On-premises control resumes on the next sync cycle.
Multi-Forest Considerations
Group provisioning works in multi-forest environments, but with constraints:
- Groups provisioned to AD can only contain users whose
onPremisesObjectIdentifiermatches anobjectGUIDin the target AD forest. - If a group contains users from multiple forests, only users that exist in each specific forest are provisioned as members when the group is written to that forest. Users from other forests are skipped.
- Each forest needs its own Cloud Sync agent and Entra ID to AD configuration.
Nested Groups
Cloud Sync handles nested group membership with specific rules:
| Parent Group SOA | Member Group SOA | Behavior |
|---|---|---|
| Entra ID security group | Entra ID security group | Parent provisioned with member group references |
| Entra ID security group | On-premises (synced) | Parent provisioned, synced member groups not included |
| Entra ID security group | On-premises with SOA converted to cloud | Parent provisioned with member group references |
Limitations and Gotchas
- Security groups only. Microsoft 365 groups and distribution groups are not supported for provisioning to AD.
- 50,000 member limit. Groups with more than 50,000 members are not supported.
- Cloud-only users skipped. Members without
onPremisesObjectIdentifierare silently excluded from the AD group. - Scoping recommendation. Always use Selected security groups scoping to avoid performance issues with large numbers of groups.
- On-demand provisioning member limit. Testing is limited to five members per on-demand request.
- No user provisioning to AD. Cloud Sync can provision groups to AD, but not individual users. User provisioning to AD is not currently supported.
- AdminDescription and CN updates. When Cloud Sync provisions a group, it may update the
adminDescriptionandcnattributes in AD. Be aware of this if you have processes that depend on these attributes.
Migrating from Connect Sync Group Writeback
If you are currently using Connect Sync’s group writeback V2 feature, you can migrate to Cloud Sync’s group provisioning. The process involves:
- Disabling group writeback in Connect Sync.
- Configuring group provisioning in Cloud Sync.
- Converting the SOA of the affected groups to cloud.
See the Microsoft migration guide for detailed steps.
Related Topics
- Cloud Sync architecture - how the agent and cloud service work together
- Connect Sync vs Cloud Sync - feature comparison including group capabilities