Setting up group writeback within entitlement management

This article shows you how to set up group writeback in entitlement management. Group writeback is a feature that allows you to write cloud groups back to your on-premises Active Directory instance by using Microsoft Entra Connect Sync.

Set up group writeback in entitlement management

To set up group writeback for Microsoft 365 groups in access packages, you must complete the following prerequisites:

  • Set up group writeback in the Microsoft Entra admin center.
  • The Organizational Unit (OU) that is used to set up group writeback in Microsoft Entra Connect Configuration.
  • Complete the group writeback enablement steps for Microsoft Entra Connect.

Using group writeback, you can now sync security groups that are part of access packages to on-premises Active Directory. To sync the groups, follow the steps:

  1. Create a Microsoft Entra security group.

  2. Set the group to be written back to on-premises Active Directory. For instructions, see Group writeback in the Microsoft Entra admin center.

  3. Add the group to an access package as a resource role. See Create a new access package for guidance.

  4. Assign the user to the access package. See View, add, and remove assignments for an access package for instructions to directly assign a user.

  5. After you've assigned a user to the access package, confirm that the user is now a member of the on-premises group once Microsoft Entra Connect Sync cycle completes:

    1. View the member property of the group in the on-premises OU OR
    2. Review the member Of on the user object.

Note

Microsoft Entra Connect's default sync cycle schedule is every 30 minutes. You may need to wait until the next cycle occurs to see results on-premises or choose to run the sync cycle manually to see results sooner.

  1. In your AD domain monitoring, allow only the gMSA account that runs the provisioning agent to have authorization to change the membership in the new AD group.

Next steps