{"id":1081,"date":"2025-08-02T13:16:00","date_gmt":"2025-08-02T17:16:00","guid":{"rendered":"https:\/\/anthonyfontanez.com\/?p=1081"},"modified":"2025-08-02T13:16:03","modified_gmt":"2025-08-02T17:16:03","slug":"group-soa-conversion-from-ad-to-entra","status":"publish","type":"post","link":"https:\/\/anthonyfontanez.com\/index.php\/2025\/08\/02\/group-soa-conversion-from-ad-to-entra\/","title":{"rendered":"Group SOA Conversion &#8211; From AD to Entra!"},"content":{"rendered":"\n<p>Entra Connect Sync 2.5.76.0 was released on 2025-07-31, and the <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/connect\/reference-connect-version-history#25760\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/connect\/reference-connect-version-history#25760\" target=\"_blank\" rel=\"noreferrer noopener\">release notes<\/a> included a cool new feature:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Group Source of Authority conversion feature allowing administrators to transfer on-premises Active Directory groups to become cloud only groups managed through Microsoft Entra ID (Public Preview).<\/p>\n<\/blockquote>\n\n\n\n<p>Now, the &#8220;cloud only&#8221; bit in that sentence may be a typo, have no fear, as this feature will in fact take a group that is synced to Entra via Connect Sync, with the SOA being AD, and turn it into a group synced via Cloud Sync, moving the SOA to Entra, and retaining the same group in AD with the same SID in the process!<\/p>\n\n\n\n<p>Why would you want to do this? This is nice as more and more provisioning processes shift to the cloud, and you can utilize things such as access packages in Entra to provide access to existing on-premises services utilizing existing groups.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Requirements and Assumptions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Entra Connect Sync 2.5.76.0 installed and configured<\/li>\n\n\n\n<li>Entra Cloud Sync 1.1.1370.0 or later installed and configured\n<ul class=\"wp-block-list\">\n<li>As of 2024-05-13, version 1.1.1586.0 is the latest<\/li>\n\n\n\n<li>Be sure that Connect Sync and Cloud Sync are NOT syncing the same objects!<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Existing AD group(s) being synced to Entra via Entra Connect Sync\n<ul class=\"wp-block-list\">\n<li>These groups MUST be Universal in scope!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Docs<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/concept-source-of-authority-overview\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/concept-source-of-authority-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Group SOA Overview<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/how-to-group-source-of-authority-configure\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/how-to-group-source-of-authority-configure\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Group SOA<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Credits<\/h2>\n\n\n\n<p>Lots of credit must be given here to <a href=\"https:\/\/bsky.app\/profile\/intune.best\" data-type=\"link\" data-id=\"https:\/\/bsky.app\/profile\/intune.best\" target=\"_blank\" rel=\"noreferrer noopener\">Martin Himken<\/a> as he was in WinAdmins Discord voice testing this out a bit, but ran into an issue (damn group scope!), and then I decided to test it out after hopping on. He also helped me out with the PowerShell to change the SOA, and my understanding of how to connect to Graph. He&#8217;s a pretty cool dude, and you should go follow him!<\/p>\n\n\n\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-bluesky-social wp-block-embed-bluesky-social\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"bluesky-embed\" data-bluesky-uri=\"at:\/\/did:plc:bylhixxdq5emqlt53nytnsom\/app.bsky.feed.post\/3lvep2qcozc2x\" data-bluesky-cid=\"bafyreifkvnbtgm455ndjrpofijii47co42p7knjuwh7p36gncdzpkgmeie\"><p lang=\"en\">You can now specify whether an #ADDS group is an #EntraID group or on-premises. This is called a &#39;change of SOA&#39;. However, be aware that, since @ajf8729.com and I have only just tried this out, the documentation is incomplete for now. Let me explain&#8230;\ud83e\uddf5learn.microsoft.com\/en-us\/entra\/&#8230;<\/p>&mdash; <a href=\"https:\/\/bsky.app\/profile\/did:plc:bylhixxdq5emqlt53nytnsom?ref_src=embed\">Martin Himken | MVP (@intune.best)<\/a> <a href=\"https:\/\/bsky.app\/profile\/did:plc:bylhixxdq5emqlt53nytnsom\/post\/3lvep2qcozc2x?ref_src=embed\">2025-08-01T22:26:55.617Z<\/a><\/blockquote><script async src=\"https:\/\/embed.bsky.app\/static\/embed.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Let&#8217;s Do It!<\/h2>\n\n\n\n<p>First I&#8217;ll make a new group in the OU I have configured to sync via Connect Sync, add a member, and trigger a delta sync:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>New-ADGroup -Name 'Cloud Sync Test' -Path 'OU=Groups-Synced,OU=AJF-ONE,DC=ad,DC=ajf,DC=one' -GroupCategory Security -GroupScope Universal\n\nGet-ADGroup -Identity 'Cloud Sync Test'\n\nDistinguishedName : CN=Cloud Sync Test,OU=Groups-Synced,OU=AJF-ONE,DC=ad,DC=ajf,DC=one\nGroupCategory     : Security\nGroupScope        : Universal\nName              : Cloud Sync Test\nObjectClass       : group\nObjectGUID        : cc79e6ea-8fa4-42e1-a0ef-c5f888bb1eb9\nSamAccountName    : Cloud Sync Test\nSID               : S-1-5-21-1730572994-3387147435-2638140007-3143\n\nAdd-ADGroupMember -Identity 'Cloud Sync Test' -Members 'ajf'\n\nStart-ADSyncSyncCycle -PolicyType Delta<\/code><\/pre>\n\n\n\n<p>Once the delta sync is complete, let&#8217;s check the group in Entra, and confirm the source is AD and the membership is correct:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"797\" height=\"530\" src=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image.png\" alt=\"\" class=\"wp-image-1082\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image.png 797w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-300x199.png 300w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-768x511.png 768w\" sizes=\"auto, (max-width: 797px) 100vw, 797px\" \/><\/figure>\n<\/div>\n\n\n<p>Next, let&#8217;s change the SOA using Graph:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Connect-MgGraph -Scopes 'Group.Read.All', 'Group-OnPremisesSyncBehavior.ReadWrite.All'\n\n$GroupID = 'daa94b20-6bbb-4fcd-abbb-c3d715dfbbde'\n\n$isCloudManaged = @{\n    isCloudManaged = $true\n}\n\n$JSONisCloudManaged = $isCloudManaged | ConvertTo-Json -Depth 10\n\nInvoke-MgGraphRequest -Uri \"https:\/\/graph.microsoft.com\/beta\/groups\/$GroupID\/onPremisesSyncBehavior\" -Method PATCH -Body $JSONisCloudManaged -ContentType 'application\/json'<\/code><\/pre>\n\n\n\n<p>Now, if we go back to Entra and refresh, we&#8217;ll see the SOA has changed:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"794\" height=\"531\" src=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-1.png\" alt=\"\" class=\"wp-image-1083\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-1.png 794w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-1-300x201.png 300w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-1-768x514.png 768w\" sizes=\"auto, (max-width: 794px) 100vw, 794px\" \/><\/figure>\n<\/div>\n\n\n<p>At this point, the existing sync via Connect Sync will be broken. By drilling down to the metaverse object properties in Connect Sync (follow the steps listed <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/how-to-group-source-of-authority-configure#connect-sync-client-1\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/how-to-group-source-of-authority-configure#connect-sync-client-1\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>), we&#8221; see that the attribute &#8220;blockOnPremiseSync&#8221; is set to &#8220;true&#8221;:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"690\" height=\"541\" src=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-2.png\" alt=\"\" class=\"wp-image-1085\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-2.png 690w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-2-300x235.png 300w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/figure>\n<\/div>\n\n\n<p>Finally, let&#8217;s add this group to the Entra -> AD Cloud Sync configuration. Under Scoping Filters, select the group and hit Save:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"868\" height=\"532\" src=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-3.png\" alt=\"\" class=\"wp-image-1086\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-3.png 868w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-3-300x184.png 300w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-3-768x471.png 768w\" sizes=\"auto, (max-width: 868px) 100vw, 868px\" \/><\/figure>\n<\/div>\n\n\n<p>In my example, I have configured the target container to be a different OU than what Connect Sync is currently syncing, which I would recommend, to ensure you have no conflicts between the two sync methods. To speed up this initial process, I&#8217;ll trigger an on-demand provision of the group in Entra:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"443\" src=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-4.png\" alt=\"\" class=\"wp-image-1087\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-4.png 920w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-4-300x144.png 300w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/image-4-768x370.png 768w\" sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/figure>\n<\/div>\n\n\n<p>Now let&#8217;s look at the group in AD and see what changed:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Before SOA Change\n\nGet-ADGroup -Identity 'Cloud Sync Test'\n\n\nDistinguishedName : CN=Cloud Sync Test,OU=Groups-Synced,OU=AJF-ONE,DC=ad,DC=ajf,DC=one\nGroupCategory     : Security\nGroupScope        : Universal\nName              : Cloud Sync Test\nObjectClass       : group\nObjectGUID        : cc79e6ea-8fa4-42e1-a0ef-c5f888bb1eb9\nSamAccountName    : Cloud Sync Test\nSID               : S-1-5-21-1730572994-3387147435-2638140007-3143\n\n# After SOA Change\n\nGet-ADGroup -Identity 'Cloud Sync Test'\n\n\nDistinguishedName : CN=Cloud Sync Test_c3d715dfbbde,OU=Groups,OU=TEST,DC=ad,DC=ajf,DC=one\nGroupCategory     : Security\nGroupScope        : Universal\nName              : Cloud Sync Test_c3d715dfbbde\nObjectClass       : group\nObjectGUID        : cc79e6ea-8fa4-42e1-a0ef-c5f888bb1eb9\nSamAccountName    : Cloud Sync Test\nSID               : S-1-5-21-1730572994-3387147435-2638140007-3143<\/code><\/pre>\n\n\n\n<p>Sweet! The group was moved to the new OU, the SID is the same, and you&#8217;ll see that the Name attribute was changed; the string added to the end of the group name will match the last section of the object ID of the group in Entra. We did it!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bonus Feature &#8211; Doing It All With Entra Cloud Sync!<\/h2>\n\n\n\n<p>After getting all of this working, I realized that this can be done entirely with Cloud Sync as well. The new feature and docs are targeted to folks that are currently already syncing group to Entra via Connect Sync, but if you&#8217;re like one of the crazy cats out there like <a href=\"https:\/\/bsky.app\/profile\/jgkps.bsky.social\" data-type=\"link\" data-id=\"https:\/\/bsky.app\/profile\/jgkps.bsky.social\" target=\"_blank\" rel=\"noreferrer noopener\">Johannes<\/a> (also a pretty cool dude that you should go follow), you&#8217;ve already gotten rid of Connect Sync.<\/p>\n\n\n\n<p>If that&#8217;s the case, the first part of the process is to instead add your existing groups to the AD -> Entra Cloud Sync configuration, either by OU DN or adding specific groups. Once they are synced up to Entra, make the same change to the &#8220;isCloudManaged&#8221; attribute using the same PowerShell above, and then add the groups to the Entra -> AD Cloud Sync configuration, same as the second half of the above steps.<\/p>\n\n\n\n<p>With the Entra -> AD configuration set up to use a different OU, we&#8217;ll ensure that the groups are moved between OUs in the process, and never have to worry about any sync conflicts, like I mentioned earlier. Pretty neat!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Entra Connect Sync 2.5.76.0 was released on 2025-07-31, and the release notes included a cool new feature: Group Source of Authority conversion feature allowing administrators<\/p>\n","protected":false},"author":1,"featured_media":1105,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,12],"tags":[2,13],"class_list":["post-1081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-azure-ad","tag-active-directory","tag-azure-ad"],"jetpack_featured_media_url":"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2025\/08\/cloud.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/1081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/comments?post=1081"}],"version-history":[{"count":18,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/1081\/revisions"}],"predecessor-version":[{"id":1104,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/1081\/revisions\/1104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/media\/1105"}],"wp:attachment":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/media?parent=1081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/categories?post=1081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/tags?post=1081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}