How to disable Group Writeback v2 in Microsoft Entra Connect

Microsoft is discontinuing Group Writeback in June 2024. It’s essential to check if your organization makes use of it. If so, you need to make the necessary changes. In this article, you will learn how to disable Group Writeback v2 in Microsoft Entra Connect.

Table of contents

Group writeback v2 discontinued

The public preview of Group Writeback v2 in Microsoft Entra Connect Sync will no longer be available after June 30, 2024. This feature will be discontinued on this date, and you will no longer be supported in Connect Sync to provision cloud security groups to Active Directory.

The Unified Group Writeback that refers to the original version will keep working, and you can read more about how to set it up in the articles below:

How to disable Group Writeback v2

To disable Group Writeback v2 in Microsoft Entra Connect Sync, follow the below steps.

Step 1. Get Group Writeback v2 status

Sign in on the Microsoft Entra Connect Server. Run PowerShell administrator and run the Get-ADSyncAADCompanyFeature cmdlet to get the Group Writeback v2 status.

Get-ADSyncAADCompanyFeature

The PowerShell output shows that GroupWriteBackV2 is enabled because the value is True.

Note: UnifiedGroupWriteback refers to the original version, which will keep working. GroupWritebackV2 refers to the new version that will be discontinued.

PasswordHashSync           : True
ForcePasswordChangeOnLogOn : False
UserWriteback              : False
DeviceWriteback            : False
UnifiedGroupWriteback      : True
GroupWritebackV2           : True

If the value is False for GroupWritebackV2, you don’t have to go through the steps below, and everything is set. Just update the team and the documentation that Group Writeback v2 in Microsoft Entra Connect Sync is discontinued after June 30, 2024.

Step 2. Get security groups with Group Writeback enabled

To get a list view of which security groups have Group Writeback v2 enabled, filter them in Microsoft Entra ID.

Sign in to Microsoft Entra admin center. Click on Identity > Groups > All Groups.

All groups in Microsoft Entra admin center

Click Manage view > Edit columns.

Edit groups columns in Entra admin center

Check both columns Target writeback type/Writeback enabled. Click Save.

Add target writeback type and writeback enabled columns

Filter the groups to show only the AAD groups:

  • Click on Add filter
  • Select Filter – Group type and Value – Security
  • Click on Apply
Add group type security filter
  • Click on Add filter
  • Select Filter – Source and Value – Cloud
  • Click on Apply
Add source cloud filter
  • Click on Add filter
  • Select Filter – Writeback enabled and Value – Yes
  • Click on Apply
Add writeback enabled yes value

This is how it looks when you have set the three filters.

All three filters added for groups

Another way to check is with Microsoft Graph PowerShell.

Run Windows PowerShell as administrator and Install Microsoft Graph PowerShell. 

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Run the script below.

# Connect to MgGraph with necessary scope
Connect-MgGraph -Scopes "Group.ReadWrite.All"

Get-MgBetaGroup -All |
Where-Object {
    $_.writebackConfiguration.onPremisesGroupType -eq "universalSecurityGroup" -and
    $_.writebackConfiguration.isEnabled -eq $true
} |
Select-Object DisplayName, @{
    Name       = "WriteBackEnabled"
    Expression = { $_.writebackConfiguration.isEnabled }
}, @{
    Name       = "OnPremisesGroupType"
    Expression = { $_.writebackConfiguration.onPremisesGroupType }
} |
Sort-Object DisplayName

The output shows the cloud security groups with writeback enabled.

DisplayName WriteBackEnabled OnPremisesGroupType
----------- ---------------- -------------------
Group1_WR               True UniversalSecurityGroup
Group2_WR               True UniversalSecurityGroup
Group3_WR               True UniversalSecurityGroup
Group4_WR               True UniversalSecurityGroup

You can also check the cloud security groups with writeback enabled in Active Directory on-premises. Start Active Directory Users and Computers and check for Security Group type.

Cloud security groups synced to Active Directory Users and Computers

Step 3. Disable Group Writeback for cloud security groups

In the filtered groups list, disable all the Writeback enabled for the cloud security groups by changing the value to No.

Turn off writeback enabled in Microsoft Entra admin center

It’s faster and recommended to do it with PowerShell. Run the script below.

# Connect to MgGraph with necessary scope
Connect-MgGraph -Scopes "Group.ReadWrite.All"

# List all cloud security groups with writeback enabled
$Groups = Get-MgBetaGroup -All |
Where-Object {
    $_.writebackConfiguration.onPremisesGroupType -eq "universalSecurityGroup" -and
    $_.writebackConfiguration.isEnabled -eq $true
}

# Disable writeback for cloud security groups
foreach ($Group in $Groups) {
    Update-MgBetaGroup -GroupId $Group.Id -WritebackConfiguration @{isEnabled = $false }
}

Step 4. Disable Group Writeback v2 in Microsoft Entra Connect Sync

Sign in on the Microsoft Entra Connect Server. Start Windows PowerShell and run the below command to disable the Group Writeback v2 feature in the tenant.

Set-ADSyncAADCompanyFeature -GroupWritebackV2 $false

Now run a Force sync in Microsoft Entra Connect.

Start-ADSyncSyncCycle -PolicyType Initial

Give it a few minutes to sync the data between AD on-premises and Entra ID.

Step 5. Verify security groups are removed from AD on-premises

Verify that the security groups don’t appear in Active Directory on-premises. The Microsoft 365 cloud groups should still be available.

Group Writeback v2 disabled and not synced to Active Directory Users and Computers

That’s it!

Read more: Migrate Azure AD Connect to new server »

Conclusion

You learned how to disable Group Writeback v2 in Microsoft Entra Connect. Follow the steps to disable Group Writeback for the cloud security groups and update your documentation. If you want to use the Group Writeback feature for security groups, you must look into Microsoft Entra Cloud Sync.

Did you enjoy this article? You may also like Find Azure AD Connect accounts. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 2 Comments

    1. There is no option to disable Group Writeback v2 through the Microsoft Entra Connect wizard.

      Disabling the “Group Writeback” feature from the Microsoft Entra Connect wizard will disable Group Writeback v2 and Unified Group Writeback.

      You don’t want to do this because Unified Group Writeback will keep working and is not being discontinued.

      Following the steps described in this guide ensures you only turn off Group Writeback v2.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *