Entra Connect Sync 2.3.2 - Group Writeback V2 will be discontinued
Hi All,
Somehow i did miss, that there was an Update for Entra Connect Sync (Azure Active Directory Connect) mid December. It’s for download only, so no Automatic Update.
Group Writeback V2 will be decomissioned. Group Writeback for M365 Groups will still be supported.
It’s still a bit a mess with the Product Names. The Product Name is “Microsoft Entra Connect Sync” but you download “Azure AD Connect V2”.
I’ve downloaded Azure AD Connect V2 2.3.2
Sadly you can’t see the Directory sync status in M365 Admin Center.
You still can find the AAD Connect Version in Entra ID. Identity > Hybrid Management > Microsoft Entra Connect > Connect Sync > Microsoft Entra Connect Health > Sync Services > Tenant > Server > Settings > Syncronization
Installation
I’ve downloaded the MSI and here are the Installation Screenshots
Enter the Username and Password (Global Admin or Hybrid Identity Administrator Role)
Installation is Complete
It takes a few Minutes until the Version has been updated in Entra ID
Disable Group Writeback V2
Group Writeback V2 essentially is syncronization of Cloud Only Groups to OnPrem Active Directory.
So first we need to figure out what Groups are currently synced to OnPrem.
Go to AllGroups in Entra ID and add the Filter “Writeback enabled” to “Yes”. Now you can see the Groups that are written back to Active Directory.
You can also add the Column in the Settings
Let’s figure out the same thing in PowerShell with the Microsoft.Graph PowerShell Modules.
First we need to figure out the Properties. I’ll check with a Group that has WriteBack enabled. You can find it in the Property WritebackConfiguration
Connect-MgGraph -Scopes "Group.ReadWrite.All" -NoWelcome
$demo = Get-MgBetaGroup -Filter {DisplayName eq 'AAD-DemoWriteback'}
$demo.WritebackConfiguration
List all the Groups that have Writeback Enabled
$Groups = Get-MgBetaGroup -All
$Groups | Where-Object {$_.writebackConfiguration.isEnabled -eq $true} | Select-Object id,DisplayName,@{Name="WriteBackEnabled";Expression={$_.writebackConfiguration.isEnabled}}
You probably would not need to disable this. But in my Opinion it get’s confusing if you have a Group that has the Property Writeback = True and still does not show up OnPrem, because Group Writeback V2 has been disabled. Let’s make it clean.
Set all Groups to Writeback Enabled = False
$WritebackGroups = Get-MgBetaGroup -All | Where-Object {$_.writebackConfiguration.isEnabled -eq $true}
$WritebackGroups.Count
Foreach ($Group in $WritebackGroups)
{
Update-MgBetaGroup -GroupId $Group.Id -WritebackConfiguration @{isEnabled = $false }
}
If we refresh the Filter in Entra Admin Center no more Groups have set the Writeback Enabled = $True
I was curious how the Group Writeback Option looks in Azure Active Directory Connect
Select “Customize syncronization options”
Group Writeback is still enabled (Remember only Group Writeback V2 will be disabled)
Seems to be that it looks still the same. Question is if the Display Name of the Objects will remain after the Depreciation of the Preview for Group Writeback V2.
AAD Connect
On the AAD Connect Server we check for the Features
Get-ADSyncAADCompanyFeature
In Active Directory i can still see the Syncronized Cloud Groups - even they have been set to Writeback = $False - even after Delta and Full Syncronization
Let’s disable Group Writeback V2 on the AAD Connect Server
Set-ADSyncAADCompanyFeature -GroupWritebackV2 $false
Initiate a Full Sync
Start-ADSyncSyncCycle -PolicyType Initial
Now the CloudOnly Groups have been removed. The M365 Groups are sill written back as this is a Group Writeback V1 Feature.
Summary
Now you know how to update to the latest Azure AD Connect Version and how to disable Group Writeback V2.
Regards
Andres Bohren
EntraID Logo PowerShell Logo
