Changing Source of Authority for groups

The feature to change Source of Authority (SOA) for AD groups synced to Entra ID is currently in public preview. This is very useful for organizations on the their cloud first journey, as it makes it easy to transition existing groups in Active Directory to be managed in Entra ID.

It is especially useful if you are implementing Entitlement Management as it's not possible to use synced AD groups for this. Although Entitlement Management offers solutions that in many circumstances makes security groups redundant, it takes less effort to just re-use existing groups already in use.

Change SOA

Making the switch is just a flip of an attribute on the group using Graph beta. By setting isCloudManaged: true on a synced group, it is immediately managed in Entra ID.

Make sure to use the scope Group-OnPremisesSyncBehavior.ReadWrite.All, as it is required.

You can use Graph Explorer to update an individual group. Replace the ID with the Object Id of a synced group. You can easily change it back by setting the value to false.

PATCH https://graph.microsoft.com/beta/groups/{ID}/onPremisesSyncBehavior
{
   "isCloudManaged": true
}

If you rather use PowerShell.

$groupId = "{ID}"

$url = "https://graph.microsoft.com/beta/groups/$groupId/onPremisesSyncBehavior"

$body =  @{
   isCloudManaged = "true"
} | ConvertTo-Json

Invoke-MgGraphRequest `
   -Method PATCH `
   -Uri $url `
   -Body $body `

Even if the group is still in scope for Entra Connect/Cloud sync, it will no longer syncronize from Active Directory to Entra ID.

What to do next?

When you change SOA, you should have a plan for what to do with the group in Active Directory. They will no longer by in sync, changes made in Entra ID is not synced to Active Directory and vice versa.

Remove the group in AD

This is the easiest option. As long as the group does not serve a function in Active Directory, you can just remove it.

I don't recommend to keep the group unless you plan to sync it from Entra ID back to AD, as it may cause confusion.

Sync the group from Entra ID back to AD

If you plan to keep the group in Active Directory, I recommend that you configure group write-back in Entra Cloud Sync, to keep membership in sync.

NOTE! Only hybrid account members can be synced from Entra to Active Directory

Group write-back is usually configured to sync to one or a few specified OUs. You must move the AD group to an OU specified in the group write-back configuration, otherwise you will end up with a new, duplicated group.

As long as the OU is in scope, Entra Cloud Sync will automatically identify the matching group based on the ObjectId -> msDS-ExternalDirectoryObjectId mapping.

NOTE! Depending on the write-back configuration, cn, displayName and other attributes may be updated in Active Directory on synchronization. Test the outcome carefully and make necessary configuration changes.

Links

• Microsoft Learn - Configure Group Source of Authority (SOA) (Preview)
• Microsoft Learn - Update onPremisesSyncBehavior

Summary

Group Source of Authority is a great way of transitioning to a cloud first or cloud only approach for groups.