Change Source of Authority for AD synced security groups to implement Entitlement Management

Changing SoA for synced AD groups was recently made available as a public preview feature in Entra ID. In a previous blog post, I demonstrated how this can be used to move your management of these groups to Entra ID from Active Directory, minimizing your footprint on premises.

After having read a fairly recent blog post on how you could re-create the groups in Entra ID and their membership by creating access packages and scripting in the assignments, I decided to propose an easier approach.

By changing SoA for relevant groups, they are immediately manageable in Entra ID and can be added to access packages as well.

Existing membership is maintained, although, they will not be automatically managed by any access package.

How you do it

1. Identify the AD-synced groups that you want to manage in access packages.

2. Create your access packages and request policies, but don't add any resources, in this case security groups, to them. It is a good idea to make them disabled at this stage.

3. Switch Sorce of Authority for the groups, making the cloud managed.

4. Since the groups can now be managed in Entra ID, they can be added to the access packages. All previous members will remain, but the membership is not managed by the access package.
   If necessary, you can create a script that adds each member to the access package as well to make sure that all assignments are up to date.

5. Either remove the groups from Active Directory, or implement group writeback using Entra Cloud Sync, reversing the previous sync.
   In this case, membership is managed in Entra ID, but can be utilized in AD, by re-using the existing groups in AD.

Summary

There are several benefits to changing SoA for groups, where the option to migrate to Entitlement Management is one most important one.