Edit

Share via

Tutorial - Provision groups to Active Directory Domain Services by using Microsoft Entra Cloud Sync

This tutorial walks you through how to configure Cloud Sync to sync groups to on-premises Active Directory Domain Services (AD DS).

Important

We recommend using Selected security groups as the default scoping filter when you configure group provisioning to AD DS. This default scoping filter helps prevent any performance issues when you provision groups.

Provision Microsoft Entra ID to Active Directory Domain Services - Prerequisites

The following prerequisites are required to implement provisioning groups to Active Directory Domain Services (AD DS).

License requirements

Using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.

General requirements

  • Microsoft Entra account with at least a Hybrid Identity Administrator role.
  • On-premises AD DS schema with the msDS-ExternalDirectoryObjectId attribute, which is available in Windows Server 2016 and later.
  • Provisioning agent with build version 1.1.3730.0 or later.

Note

The permissions to the service account are assigned during clean install only. If you're upgrading from the previous version, then permissions need to be assigned manually by using PowerShell:

$credential = Get-Credential  

Set-AAD DSCloudSyncPermissions -PermissionType UserGroupCreateDelete -TargetDomain "FQDN of domain" -EACredential $credential

If the permissions are set manually, you need to assign Read, Write, Create, and Delete all properties for all descendant Groups and User objects.

These permissions aren't applied to AdminSDHolder objects by default. For more information, see Microsoft Entra provisioning agent gMSA PowerShell cmdlets.

  • The provisioning agent must be installed on a server that runs Windows Server 2022, Windows Server 2019, or Windows Server 2016.
  • The provisioning agent must be able to communicate with one or more domain controllers on ports TCP/389 (LDAP) and TCP/3268 (Global Catalog).
    • Required for Global Catalog lookup to filter out invalid membership references
  • Microsoft Entra Connect Sync with build version 2.22.8.0
    • Required to support on-premises user membership synchronized using Microsoft Entra Connect Sync
    • Required to synchronize AD DS:user:objectGUID to AAD DS:user:onPremisesObjectIdentifier

Scale limits for Provisioning groups to Active Directory

Group Provision to Active Directory feature's performance is impacted by the size of the tenant and the number of groups and memberships that are in scope for provisioning to Active Directory. This section provides guidance on how to determine if GPAD supports your scale requirement and how to pick the right group scoping mode to achieve quicker initial and delta sync cycles.

What is not supported?

  • Groups that are larger than 50K members aren't supported.
  • The use of "All security groups" scoping without applying attribute scope filtering is not supported.

Scale limits

Scoping Mode Number of in-scope groups Number of membership links (Direct members only) Notes
"Selected security groups" mode Up to 10K groups. The CloudSync pane in Microsoft Entra portal only allows selecting up to 999 groups as well as displaying up to 999 groups. If you need to add more than 1000 groups into scope, see: Expanded group selection via API. Up to 250K total members across all the groups in scope. Use this scoping mode if your tenant exceeds ANY of these limits
1. Tenant has more than 200k users
2. Tenant has more than 40K groups
3. Tenant has more than 1M group memberships.
“All Security groups” mode with at least one attribute scoping filter. Up to 20K groups. Up to 500K total members across all the groups in scope. Use this scoping mode if your tenant satisfies ALL the below limits:
1. Tenant has less than 200k users
2. Tenant has less than 40K groups
3. Tenant has more than 1M group memberships.

What to do if you exceed limits

Exceeding the recommended limits will slow initial and delta sync, possibly causing sync errors. If this happens, follow these steps:

Too many groups or group members in ‘Selected security groups’ scoping mode:

Reduce the number of in-scope groups (target higher value groups), or split provisioning into multiple, distinct jobs with disjoint scopes.

Too many groups or group members in ‘All security groups’ scoping mode:

Use Selected security groups scoping mode as recommended.

Some group exceeds 50K members:

Split membership across multiple groups or adopt staged groups (for example, by region or business unit) to keep each group under the cap.

Expanded group selection via API

If you need to select more than 999 groups, you must use the Grant an appRoleAssignment for a service principal API call.

An example of the API calls is as follows:

POST https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalID}/appRoleAssignedTo
Content-Type: application/json

{
  "principalId": "",
  "resourceId": "",
  "appRoleId": ""
}

where:

  • principalId: Group object ID.
  • resourceId: Job's service principal ID.
  • appRoleId: Identifier of app role exposed by the resource service principal.

The following table is a list of App Role IDs for Clouds:

Cloud appRoleId
Public 1a0abf4d-b9fa-4512-a3a2-51ee82c6fd9f
AzureUSGovernment d8fa317e-0713-4930-91d8-1dbeb150978f
AzureUSNatCloud 50a55e47-aae2-425c-8dcb-ed711147a39f
AzureUSSecCloud 52e862b9-0b95-43fe-9340-54f51248314f

More information

Here are more points to consider when you provision groups to AD DS.

  • Groups provisioned to AD DS using Cloud Sync can only contain on-premises synchronized users or other cloud-created security groups.
  • These users must have the onPremisesObjectIdentifier attribute set on their account.
  • The onPremisesObjectIdentifier must match a corresponding objectGUID in the target AD DS environment.
  • An on-premises user objectGUID attribute can be synchronized to a cloud user onPremisesObjectIdentifier attribute by using either sync client.
  • Only global Microsoft Entra ID tenants can provision from Microsoft Entra ID to AD DS. Tenants such as B2C aren't supported.
  • The group provisioning job is scheduled to run every 20 minutes.

Group and User SOA Scenarios

Use case Parent group type User member group type Sync Direction How sync works
A security group whose SOA is in cloud and all user members have SOA on-premises Security group whose SOA is in cloud Users whose SOA is on-premises Entra to AD (AAD2ADGroup provisioning) The job provisions the parent group with all its member references (member users).
A security group whose SOA is in cloud and all user members have SOA in cloud Security group whose SOA is in cloud Users whose SOA is in cloud Entra to AD (AAD2ADGroup provisioning) The job provisions the security group but does not provision any member references.
A security group whose SOA is in cloud and some user members have SOA in cloud while others have SOA on-premises Security group whose SOA is in cloud Some users have SOA in cloud while some have SOA on-premises Entra to AD (AAD2ADGroup provisioning) The job provisions the security group and includes only member references whose SOA is on-premises. It skips member references whose SOA is in cloud.
A security group whose SOA is in cloud and has no user members Security group whose SOA is in cloud No user members Entra to AD (AAD2ADGroup provisioning) The job provisions the security group (empty membership).
A security group whose SOA is in on-premises and all user members have SOA on-premises Security group whose SOA is on-premises Users whose SOA is on-premises Entra to AD (AAD2ADGroup provisioning) The job does not provision the security group.
A security group whose SOA is in on-premises and all user members have SOA in cloud Security group whose SOA is on-premises Users whose SOA is in cloud Entra to AD (AAD2ADGroup provisioning) The job does not provision the security group.
A security group whose SOA is in on-premises and some user members have SOA in cloud while others have SOA on-premises Security group whose SOA is on-premises Some users have SOA in cloud while some have SOA on-premises Entra to AD (AAD2ADGroup provisioning) The job does not provision the security group.
A security group whose SOA is in on-premises and all user members have SOA on-premises Security group whose SOA is on-premises Users whose SOA is on-premises AD to Entra (AD2AADprovisioning) The job provisions the security group with all its member references (member users).
A security group whose SOA is in on-premises and all user members have SOA in cloud Security group whose SOA is on-premises Users whose SOA is in cloud AD to Entra (AD2AADprovisioning) The job provisions the security group with all its member references (member users). So member references whose SOA is converted to cloud for these on-prem groups will also be synced.
A security group whose SOA is in on-premises and some user members have SOA in cloud while others have SOA on-premises Security group whose SOA is on-premises Some users have SOA in cloud while some have SOA on-premises AD to Entra (AD2AADprovisioning) The job provisions the parent group with all its member references (member users). So member references whose SOA is converted to cloud for these on-prem groups will also be synced.
A security group whose SOA is in on-premises and has no user members Security group whose SOA is on-premises No user members AD to Entra (AD2AADprovisioning) The job provisions the security group (empty membership).
A security group whose SOA is in cloud and all user members have SOA on-premises Security group whose SOA is cloud Users whose SOA is on-premises AD to Entra (AD2AADprovisioning) The job does not provision the security group.
A security group whose SOA is in cloud and all user members have SOA in cloud Security group whose SOA is cloud Users whose SOA is in cloud AD to Entra (AD2AADprovisioning) The job does not provision the security group.
A security group whose SOA is in cloud and some user members have SOA in cloud while others have SOA on-premises Security group whose SOA is cloud Some users have SOA in cloud while some have SOA on-premises AD to Entra (AD2AADprovisioning) The job does not provision the security group.

Assumptions

This tutorial assumes:

  • You have an AD DS on-premises environment

  • You have cloud sync setup to synchronize users to Microsoft Entra ID.

  • You have two users that are synchronized: Britta Simon and Lola Jacobson. These users exist on-premises and in Microsoft Entra ID.

  • An organizational unit (OU) is created in AD DS for each of the following departments:

    Display name Distinguished name
    Groups OU=Marketing,DC=contoso,DC=com
    Sales OU=Sales,DC=contoso,DC=com
    Marketing OU=Groups,DC=contoso,DC=com

Add users to cloud-native or Source of Authority (SOA) converted security groups

To add synced users, follow these steps:

Note

Only synced user member references are provisioned to AD DS.

  1. Sign in to the Microsoft Entra admin center as at least a Hybrid Identity Administrator.
  2. Browse to Entra ID > Groups > All groups.
  3. At the top, in the search box, enter Sales.
  4. Select the new Sales group.
  5. On the left, select Members.
  6. At the top, select Add members.
  7. At the top, in the search box, enter Britta Simon.
  8. Put a check next to Britta Simon and select Select.
  9. It should successfully add the user to the group.
  10. On the far left, select All groups. Repeat this process by using the Sales group, and add Lola Jacobson to that group.

Prepare SOA converted groups for provisioning to their original organizational unit (OU) path

Complete these steps to prepare groups that you plan to convert to be cloud-managed for provisioning from Microsoft Entra ID back to their original OU path in Active Directory Domain Services (AD DS) on-premises:

  1. Change the AD DS group scope to Universal.
  2. Create a special application.
  3. Create the directory extension property for groups.

Change the group scope for the AD DS groups to Universal

  1. Open Active Directory Administrative Center.
  2. Right-click a group, click Properties.
  3. In the Group section, select Universal as the group scope.
  4. Click Save.

Create the extension

Cloud Sync only supports extensions created on a special application called CloudSyncCustomExtensionsApp. If the app doesn't exist in your tenant, you must create it. This step is performed once per tenant.

For more information about how to create the extension, see Cloud sync directory extensions and custom attribute mapping.

  1. Open an elevated PowerShell window and run the following commands to install modules and connect:

    Install-Module Microsoft.Graph -Scope CurrentUser -Force 
Connect-MgGraph -Scopes "Application.ReadWrite.All","Directory.ReadWrite.All","Directory.AccessAsUser.All"

  2. Check if the application exists. If it doesn't, create it. Also ensure a service principal is present.

    $tenantId = (Get-MgOrganization).Id 
$app = Get-MgApplication -Filter "identifierUris/any(uri:uri eq 'API://$tenantId/CloudSyncCustomExtensionsApp')" 
if (-not $app) { 
  $app = New-MgApplication -DisplayName "CloudSyncCustomExtensionsApp" -IdentifierUris "API://$tenantId/CloudSyncCustomExtensionsApp" 
} 

$sp = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'" 
if (-not $sp) { 
  $sp = New-MgServicePrincipal -AppId $app.AppId 
}

  3. Now add a directory extension property named GroupDN. This will be a string attribute available on group objects.

    New-MgApplicationExtensionProperty ` 
  -ApplicationId $app.Id ` 
  -Name "GroupDN" ` 
  -DataType "String" ` 
  -TargetObjects Group

For more information about how to create the directory extension property for groups, see Cloud sync directory extensions and custom attribute mapping.

Configure provisioning

To configure provisioning, follow these steps:

  1. Sign in to the Microsoft Entra admin center as at least a Hybrid Identity Administrator.

  2. Browse to Entra ID > Entra Connect > Cloud sync.

    Screenshot that shows the Microsoft Entra Connect Cloud Sync home page.

  1. Select New configuration.

  2. Select Microsoft Entra ID to AD sync.

    Screenshot of configuration selection.

  3. On the configuration screen, select your domain and whether to enable password hash sync. Select Create.

    Screenshot of a new configuration.

  4. The Get started screen opens. From here, you can continue configuring cloud sync.

  5. On the left, select Scoping filters.

  6. For Groups scope, select Selected security groups.

    Screenshot of the scoping filters sections.

  7. There are two possible approaches to set the OU:

    • You can use custom expressions ensure the group is re-created with the same OU. Use the following expression for ParentDistinguishedName value:

      IIF(
    IsPresent([extension_<AppIdWithoutHyphens>_GroupDistinguishedName]),
    Replace(
        Mid(
            Mid(
                Replace([extension_<AppIdWithoutHyphens> _GroupDistinguishedName], "\,", , , "\2C", , ),
                Instr(Replace([extension_<AppIdWithoutHyphens> _GroupDistinguishedName], "\,", , , "\2C", , ), ",", , ),
                9999
            ),
            2,
            9999
        ),
        "\2C", , , ",", ,
    ),
"<Existing ParentDistinguishedName>",
)

      This expression:

      • Uses a default OU if the extension is empty.
      • Otherwise strips the CN portion and preserves the parentDN path, again handling escaped commas.

      This changes causes a full sync and doesn't affect existing groups. Test setting the GroupDN attribute for an existing group using Microsoft Graph and ensure that it moves back to original OU.

    • If you don't want to preserve the original OU path and CN information from on-premises, under Target container select Edit attribute mapping.

      1. Change Mapping type to Expression.

      2. In the expression box, enter:

        Switch([displayName],"OU=Groups,DC=contoso,DC=com","Marketing","OU=Marketing,DC=contoso,DC=com","Sales","OU=Sales,DC=contoso,DC=com")

      3. Change the Default value to be OU=Groups,DC=contoso,DC=com.

        Screenshot of how to change the default value of the OU.

      4. Select Apply. The target container changes depending on the group displayName attribute.

  8. You can use custom expressions to ensure the group is re-created with the same CN. Use the following expression for CN value:

    IIF(
    IsPresent([extension_<AppIdWithoutHyphens>_GroupDistinguishedName]),
    Replace(
        Replace(
            Replace(
                Word(Replace([extension_<AppIdWithoutHyphens> _GroupDistinguishedName], "\,", , , "\2C", , ), 1, ","),
                "CN=", , , "", ,
            ),
            "cn=", , , "", ,
        ),
        "\2C", , , ",", ,
    ),
Append(Append(Left(Trim([displayName]), 51), "_"), Mid([objectId], 25, 12)),
)

    This expression:

    • If the extension is empty, generates a fallback CN from DisplayName + ObjectId.
    • Otherwise extracts the CN, handling escaped commas by temporarily replacing them with hex values.

  9. Select Save.

  10. On the left, select Overview.

  11. At the top, select Review and enable.

  12. On the right, select Enable configuration.

Test configuration

Note

When you run on-demand provisioning, members aren't automatically provisioned. You need to select the members you want to test, and the limit is five members.

  1. Sign in to the Microsoft Entra admin center as at least a Hybrid Identity Administrator.

  2. Browse to Entra ID > Entra Connect > Cloud sync.

    Screenshot that shows the Microsoft Entra Connect Cloud Sync home page.

  1. Under Configuration, select your configuration.

  2. On the left, select Provision on demand.

  3. Enter Sales in the Selected group box.

  4. From the Selected users section, select some users to test.

    Screenshot of adding members.

  5. Select Provision.

  6. You should see the group provisioned.

Screenshot of successful provisioning on demand.

Verify in AD DS

Follow these steps to make sure the group is provisioned to AD DS:

  1. Sign in to your on-premises environment.

  2. Launch Active Directory Users and Computers.

  3. Verify the new group is provisioned.

    Screenshot of the newly provisioned group.

Group provision to AD DS behavior for SOA converted objects

When you convert the Source of Authority (SOA) to cloud for an on-premises group, that group becomes eligible for group provisioning to AD DS.

For example, in the following diagram, the SOA or SOATestGroup1 is converted to the cloud. As a result, it becomes available for the job scope in group provisioning to AD DS.

Screenshot of job in scope.

  • When a job runs, SOATestGroup1 is provisioned successfully.

  • In the Provisioning logs, you can search for SOATestGroup1 and verify that the group was provisioned.

    Screenshot of the Provisioning logs.

  • The details show that SOATestGroup1 was matched with an existing target group.

    Screenshot of matched attributes.

  • You can also confirm that the adminDescription and cn of the target group are updated.

    Screenshot of updated attributes.

  • When you look at AD DS, you can find that the original group is updated.

    Screenshot of the updated group.

    Screenshot of group properties.

Cloud skips provisioning converted SOA objects to Microsoft Entra ID

If you try to edit an attribute of a group in AD DS after you convert SOA to the cloud, Cloud Sync skips the object during provisioning.

Let's say we have a group SOAGroup3, and we update its group name to SOA Group3.1.

Screenshot of an object name update.

In the Provisioning Logs, you can see that SOAGroup3 was skipped.

Screenshot of a skipped object.

The details explain that the object isn't synced because its SOA is converted to the cloud.

Screenshot of a blocked sync.

Nested groups and membership references handling

The following table explains how the provisioning handles membership references after you convert SOA in different use cases.

Use case Parent group type Member group type Job How sync works
A Microsoft Entra parent security group has only Microsoft Entra members. Microsoft Entra security group Microsoft Entra security group AAD2ADGroupProvisioning (group provisioning to AD DS) The job provisions the parent group with all its member references (member groups).
A Microsoft Entra parent security group has some members that are synced groups. Microsoft Entra security group AD DS security groups (synced groups) AAD2ADGroupProvisioning (group provisioning to AD DS) The job provisions the parent group, but all the member references (member Groups) that are AD DS groups aren't provisioned.
A Microsoft Entra parent security group has some members that are synced groups whose SOA is converted to cloud. Microsoft Entra security group AD DS security groups whose SOA is converted to cloud. AAD2ADGroupProvisioning (group provisioning to AD DS) The job provisions the parent group with all its member references (member groups).
You convert the SOA of a synced group (parent) that has cloud-owned groups as members. AD DS security groups with SOA converted to cloud Microsoft Entra security group AAD2ADGroupProvisioning (group provisioning to AD DS) The job provisions the parent group with all its member references (member groups).
You convert the SOA of a synced group (parent) that has other synced groups as members. AD DS security groups with SOA converted to cloud AD DS security groups (synced groups) AAD2ADGroupProvisioning (group provisioning to AD DS) The job provisions the parent group, but all the member references (member Groups) that are AD DS security groups aren't provisioned.
You convert the SOA of a synced group (parent) whose members are other synced groups that have SOA converted to cloud. AD DS security groups with SOA converted to cloud AD DS security groups with SOA converted to cloud AAD2ADGroupProvisioning (group provisioning to AD DS) The job provisions the parent group with all its member references (member groups).

Group provision to AD DS behavior after you roll back SOA converted groups

If you have SOA converted groups in scope and you roll back the SOA converted group to make it owned by AD DS, group provisioning to AD DS stops syncing the changes, but it doesn't delete the on-premises group. It also removes the group from configuration scope. On-premises control of the group resumes in the next sync cycle.

  • You can verify in the Audit Logs that sync doesn't happen for this object because it's managed on-premises.

    Screenshot of Audit log details.

    You can also check in AD DS that the group is still intact and not deleted.

    Screenshot of Users and Computers.

Next steps

  • Last updated on