| title | description | author | manager | ms.service | ms.topic | ms.date | ms.subservice | ms.author |
|---|---|---|---|---|---|---|---|---|
Migrate Microsoft Entra Connect Sync group writeback V2 to Microsoft Entra Cloud Sync |
This article describes how to migrate groups that were initially set up of group writeback using Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync |
billmath |
amycolannino |
entra-id |
how-to |
04/26/2024 |
hybrid-cloud-sync |
billmath |
[!INCLUDE deprecation]
The following document describes how to migrate group writeback using Microsoft Entra Connect Sync (formerly Azure AD Connect) to Microsoft Entra Cloud Sync. This scenario is only for customers who are currently using Microsoft Entra Connect group writeback v2. The process outlined in this document pertains only to cloud-created security groups that are written back with a universal scope. Mail-enabled groups and DLs written back using Microsoft Entra Connect group writeback V1 or V2 aren't supported.
Important
This scenario is only for customers who are currently using Microsoft Entra Connect group writeback v2
Also, this scenario is only supported for:
- cloud created Security groups
- these groups are written back with the AD groups scope of universal.
Mail-enabled groups and DLs written back using Microsoft Entra Connect group writeback V1 or V2 aren't supported.
For more information, see the Provisioning to Active Directory with Microsoft Entra Cloud Sync FAQ.
The following prerequisites are required to implement this scenario.
- Microsoft Entra account with at least a Hybrid Administrator role.
- An on-premises AD account with at least domain administrator permissions - required to access the adminDescription attribute and copy it to the msDS-ExternalDirectoryObjectId attribute
- On-premises Active Directory Domain Services environment with Windows Server 2016 operating system or later.
- Required for AD Schema attribute - msDS-ExternalDirectoryObjectId
- Provisioning agent with build version 1.1.1367.0 or later.
- The provisioning agent must be able to communicate with the domain controller(s) on ports TCP/389 (LDAP) and TCP/3268 (Global Catalog).
- Required for global catalog lookup to filter out invalid membership references
-
In your on-premises environment, open ADSI Edit.
-
Copy the value that it in the group's adminDescription attribute
:::image type="content" source="media/migrate-group-writeback/migrate-1.png" alt-text="Screenshot of the adminDescription attribute." lightbox="media/migrate-group-writeback/migrate-1.png":::
-
Paste in to the msDS-ExternalDirectoryObjectID attribute
:::image type="content" source="media/migrate-group-writeback/migrate-2.png" alt-text="Screenshot of the msDS-ExternalDirectoryObjectID attribute." lightbox="media/migrate-group-writeback/migrate-2.png":::
Step 2 - Place the Microsoft Entra Connect Sync server in staging mode and disable the sync scheduler
-
Start the Microsoft Entra Connect Sync wizard
-
Click Configure
-
Select Configure staging mode and click Next
-
Enter Microsoft Entra credentials
-
Place a check in the Enable staging mode box and click Next
:::image type="content" source="media/migrate-group-writeback/migrate-3.png" alt-text="Screenshot of enabling staging mode." lightbox="media/migrate-group-writeback/migrate-3.png":::
-
Click Configure
-
Click Exit
:::image type="content" source="media/migrate-group-writeback/migrate-4.png" alt-text="Screenshot of staging mode success." lightbox="media/migrate-group-writeback/migrate-4.png":::
-
On your Microsoft Entra Connect server, open a PowerShell prompt as an administrator.
-
Disable the sync scheduler:
Set-ADSyncScheduler -SyncCycleEnabled $false
In the Microsoft Entra Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out groups that have NULL for the mail attribute. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. This rule tells Microsoft Entra Connect not to synchronize attributes for these groups.
-
Launch the synchronization editor from the application menu in desktop as shown below:
-
Select Inbound from the drop-down list for Direction and select Add new rule.
-
On the Description page, enter the following and select Next:
-
Name: Give the rule a meaningful name
-
Description: Add a meaningful description
-
Connected System: Choose the Microsoft Entra connector that you're writing the custom sync rule for
-
Connected System Object Type: Group
-
Metaverse Object Type: Group
-
Link Type: Join
-
Precedence: Provide a value that is unique in the system
-
Tag: Leave empty
:::image type="content" source="media/migrate-group-writeback/migrate-5.png" alt-text="Screenshot of inbound sync rule." lightbox="media/migrate-group-writeback/migrate-5.png":::
-
-
On the Scoping filter page, Add the following and then select Next.
Attribute Operator Value cloudMastered EQUAL true mail ISNULL :::image type="content" source="media/migrate-group-writeback/migrate-6.png" alt-text="Screenshot of scoping filter." lightbox="media/migrate-group-writeback/migrate-6.png":::
-
On the Join rules page, select Next.
-
On the Transformations page, add a Constant transformation: flow True to cloudNoFlow attribute. Select Add.
:::image type="content" source="media/migrate-group-writeback/migrate-7.png" alt-text="Screenshot of transformation." lightbox="media/migrate-group-writeback/migrate-7.png":::
You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. This rule tells Microsoft Entra Connect not to synchronize attributes for these groups.
-
Select Outbound from the drop-down list for Direction and select Add rule.
-
On the Description page, enter the following and select Next:
- Name: Give the rule a meaningful name
- Description: Add a meaningful description
- Connected System: Choose the AD connector that you're writing the custom sync rule for
- Connected System Object Type: Group
- Metaverse Object Type: Group
- Link Type: JoinNoFlow
- Precedence: Provide a value that is unique in the system
- Tag: Leave empty
:::image type="content" source="media/migrate-group-writeback/migrate-8.png" alt-text="Screenshot of outbound sync rule." lightbox="media/migrate-group-writeback/migrate-8.png":::
-
On the Scoping filter page, choose cloudNoFlow equal True. Then select Next.
:::image type="content" source="media/migrate-group-writeback/migrate-9.png" alt-text="Screenshot of outbound scoping filter." lightbox="media/migrate-group-writeback/migrate-9.png":::
-
On the Join rules page, select Next.
-
On the Transformations page, select Add.
-
On your Microsoft Entra Connect server, open a PowerShell prompt as an administrator.
-
Import the ADSync module:
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\Tools\ADSyncTools.psm1'
-
Run a full sync cycle:
Start-ADSyncSyncCycle -PolicyType Initial
-
Disable the group writeback feature for the tenant:
Set-ADSyncAADCompanyFeature -GroupWritebackV2 $false
-
Run a full sync cycle (yes again):
Start-ADSyncSyncCycle -PolicyType Initial
-
Re-enable the sync scheduler:
Set-ADSyncScheduler -SyncCycleEnabled $true
:::image type="content" source="media/migrate-group-writeback/migrate-11.png" alt-text="Screenshot of PowerShell execution." lightbox="media/migrate-group-writeback/migrate-11.png":::
- Start the Microsoft Entra Connect Sync wizard
- Click Configure
- Select Configure staging mode and click Next
- Enter Microsoft Entra credentials
- Remove the check from the Enable staging mode box and click Next
- Click Configure
- Click Exit
Now that you have successfully removed the groups from the scope of Microsoft Entra Connect Sync, you can set up and configure Microsoft Entra Cloud Sync to take over synchronization. See Provision groups to Active Directory using Microsoft Entra Cloud Sync.