We have upgraded some of our clients from Exchange 2010 to Exchange server 2016/2019.
With this they are now able to utilize office 365 groups write back feature which they can not utilize while running exchange server 2010 as minimum version required for this feature is Exchange server 2013.
This feature will write the office 365 groups objects that are created in the cloud to on-premise Active Directory as distribution groups.
Benefit of which is that office 365 groups can now be utilized by on-premise users/applications.
It will also avoid conflicts of email address usage on large office 365 deployments. (which we have seen and then manual remediation is required)
Note: You should have Azure AD premium and relevant exchange version to use Azure AD Group Writeback.
To configure this feature lets follow the below steps:
- Create an Organizational Unit in Active directory to host these groups.
- Now Log on to Azure AD connect server and launch Azure AD Connect
Click Configure and Select Customize Synchronization options, Click Next and enter the UserID/Password of Global administrator.
Click Next till you reach optional features.
Check Group Write Back and in next window select the Organizational unit that you have created to store these groups.
Click Configure and exit when wizard completes.
Next you need to configure permissions to write back the groups to onpremise Active Directory.
Here is the Script to do that:
$AzureADConnectSWritebackAccountDN = <MSOL_ account DN>
Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1”
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN $AzureADConnectSWritebackAccountDN
How do you find the AzureAD Connect account to be used in the above script?
On internet many admins stated that just search AD with MSOL_ and you will find the sync account but in our client case nothing was found with MSOL.
Import the AdSyncConfig module in powershell and run Get-ADSyncADConnectorAccount
Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1”
Get-ADSyncADConnectorAccount
Now you have the account, so populate its DN in the above script and run it.
This will provide the permissions to write back on on-premise active directory.
We always run full synchronization when doing these kinds of changes to the configuration.
Result: (you will see group_ objects the organizational Unit you have created)
Reference: Azure AD Connect Group Write Back
Thanks for reading…
Tech Wizard
Tech Wizard 
Pingback: Group Write Back Error – Target Attribute Value length exceeds max allowed size | Tech Wizard