Force Azure AD Connect to Connect Only to Specific Domain Controllers
Consider the following scenario: you are about to implement directory synchronization for Office...
Exchange admins have enjoyed the Group writeback optional feature in Azure AD Connect for a long time. It offers add-on functionality to Microsoft 365 Groups in Azure AD for organizations that use both Active Directory and Azure AD in a Hybrid Exchange setup.
When Group writeback is enabled, Microsoft 365 groups are written back to Active Directory as universal distribution groups. This way, people in your organization with mailboxes on on-premises implementations of Exchange Server 2013 Cumulative Update 8, Exchange Server 2016 Cumulative Update 1, and newer versions of Exchange Server, can send email messages to these groups and receive email messages from these groups.
From the get-go, group writeback had some limitations:
Some other limitations have been addressed since Azure AD Connect version 22.214.171.124 (released on December 15, 2021), like the ability to writeback groups with their displayName attributes as the name of the written back group instead of a GUID and the dropped requirement for the Exchange Server schema.
Now, Microsoft is removing even more of the above limitations, in Public Preview since July 1, 2022:
Admins can now write back groups with more flexibility. Microsoft 365 groups can be written back as distribution groups, security groups or mail-enabled security groups. Azure AD-based security groups can also now be written back, obviously only as security groups.
The below table show the opportunities:
|Azure AD||Active Directory|
|Microsoft 365 Groups||Universal distribution|
|Universal mail-enabled security groups|
|Universal security groups|
|Security groups||Universal security groups|
Please note that all groups that are written back have the universal scope. This accommodates for organizations that synchronize multiple Active Directory forests to one Azure AD tenant.
Also, to write back the email components for distribution groups and/or mail-enabled security groups, an Exchange Server Hybrid setup needs to be available and Exchange Server needs to run Exchange Server 2016 cumulative update 15, or a newer version of Exchange Server.
For this purpose, two additional columns can be added to the view on the Groups page: Target writeback type and Writeback enabled. The Writeback enabled column allows admins to turn off the writeback capability per group. The Target writeback type column allows admins to specify to which group type they want the cloud group written back to. These properties also bring a corresponding new field in the properties page for a group: the Group writeback state field.
This also means, that persons with accounts with the Group admin role, can now manage group writeback, after a person with an account that has the Global administrator role or the Hybrid Identity administrator role assigned has enabled the Group writeback option in Azure AD Connect.
In some situations, the previous limitations held back organizations from embracing Group writeback.
When a distribution group was the only group that could be written back, it was merely useful for Exchange admins. Now, that security group can be written back, access lists in the on-premises environment can be filled with cloud groups. All the cloud goodness for groups – Dynamic groups, self-service group management, group expiration, Access Reviews and Access Packages come to mind – can now be used to govern access. Both on-premises and in the cloud.
Now that the Group Administrator role gains some serious punch, it might help organizations who were held back by the role requirements to use Group writeback. In large and complex organizations, adhering to Microsoft’s recommendation for assigning merely five accounts to the Global Administrator role is hard. Having a useful Group Administrator role is a good change that surely adds to the adoption of role delegation in Azure AD.
Azure AD Connect is also not the easiest Microsoft product to fathom, so no longer needing to fiddle with it (and any other Staging Mode Azure AD Connect installations) to manage Group Writeback is a welcome change for most organizations.
These new features come with some caveats, though:
To use the new Group writeback features, all Azure AD Connect installations in use by the organization need to run at least version 126.96.36.199 (released on December 22, 2022) and needs to be configured with the Group writeback optional feature. This includes any Staging Mode servers.
If you were previously writing back Microsoft 365 groups, they will appear in the Azure portal as not enabled for writeback on both the Groups page and in the properties page for a group. This is to ensure backward compatibility with the previous version of Group writeback and to avoid breaking setups organizations may currently have.
When enabling the Group writeback feature in Azure AD Connect, an Organizational Unit (OU) needs to be selected. There are no changes here. This means that all written back groups will be written back to one OU.
To use the new Group writeback features, the GroupWritebackV2 feature needs to be enabled. For this, run the following line of Windows PowerShell from a server with Azure AD Connect installed:
Set-ADSyncAADCompanyFeature -GroupWritebackV2 $true
Then, perform a full synchronization cycle:
Start-ADSyncSyncCycle -PolicyType Initial
After you enable the feature, the features in the Azure Portal become available.
These new Group writeback settings are available as public preview. As long as these settings are not generally available (GA), Microsoft might pull back the functionality. Some organizations have a policy to wait for GA for Azure (AD) functionality, specifically for this reason. Azure AD Baseline Conditional Access policies was a recent feature that got scrapped and folded into Security Defaults.
On the other hand, there are a lot of features that have been in public preview, for ages it seems. OATH hardware tokens have been in public preview since October 2018, so at a certain point you may want to adopt certain public preview features.
When your organization decides to embrace this functionality, what your organizations would effectively embrace is Azure AD’s group functionality to manage Active Directory groups. It diminishes the value of any group provisioning and deprovisioning solutions in favor of Azure AD. It may reduce Active Directory further into just one of the account stores in your organization, but it might also remove some of the complexity that has been in networks for ages. If that doesn’t apply to your organization, at least the added flexibility is welcome.
When writing back groups, it’s good to keep in the back of your head that when a non-admin user account in Active Directory is a member of over 1015 groups, sign-ins fail, because of a limit in the number of sIDs in the Kerberos token. You might start to run into this issue. ENow Software's award winning offers built-in reports that allow admins to keep tabs on the number of groups a user account is a member of.
Sander's qualities extend beyond the typical triple-A stories in the area of Identity and Access Management. Of course, authentication, authorization and auditing are necessities but my out of the box solutions get the most out of software, hardware and the cloud. Rapid technological advancements have resulted in cutting-edge solutions around Active Directory, Azure Active Directory and Identity Management. Keeping up with these is just a small challenge, compared to my true goal: helping people use the technology on a daily basis. In a way that ICT is not a mere hurdle, but an infinite enabler. His work as a consultant, blogger and trainer are all means to achieve this goal. His multiple Microsoft Most Valuable Professional (MVP) status, Veeam Vanguard status and extensive certification aids him. Through direct communications with the product teams in Redmond, he remains up to date, exchange feedback and accelerate support.