Recently Microsoft has introduced a new feature in Azure Active Directory which allows the admin to specify which group should be written back to your On-Premise Active Directory and the writeback scope.

In today’s PowerShell script, the script report which Azure AD Group enabled for Group writeback through reading the AAD Group writebackConfiguration resource in Microsoft Graph API.

Till the date of writing this post, this configuration is available in the Beta version of Graph API, so you need to switch to Beta Profile to get the writebackConfiguration.

Prerequisites

You need to have permission on one of the following scopes to execute the Get-MgGroup. I use Group.Read.All

PS C:\> (Find-MgGraphCommand -Command Get-MgGroup -ApiVersion v1.0).Permissions | select-object Name,description

Name                    Description
----                    -----------
Directory.Read.All      Read directory data
Directory.ReadWrite.All Read and write directory data
Group.Read.All          Read all groups
Group.ReadWrite.All     Read and write all groups
GroupMember.Read.All    Read group memberships
Directory.Read.All      Read directory data
Directory.ReadWrite.All Read and write directory data
Group.Read.All          Read all groups
Group.ReadWrite.All     Read and write all groups
GroupMember.Read.All    Read group memberships

If you want to see the configuration on Microsoft Graph Explorer, use the following endpoint, and replace the GroupID with a cloud group id

https://graph.microsoft.com/beta/groups/{GROUPID}

If you are new to Graph API, read more about it and learn how easy to understand it from Understanding Microsoft Graph SDK PowerShell

Configure Azure Active Directory Writeback Group

To see the configuration via the web interface:

  • Open Azure Active Directory.
  • Click on Groups.
  • Click on any groups in the list which has the Source = Cloud and click on it.
Source is Cloud
  • Click on Properties, then you can see the Group Writeback State.
WriteBack configuration.

Reading Group writebackConfiguration.

The script connects to the graph and switches to the Beta profile, and then executes the script. Feel free and download the script from my Azure WriteBack Reporter GitHub repo

This script support one optional Switch parameter named IncludeonPremise. This parameter also collects information about the synced groups to the Azure Active Directory from the on-premise site.

The result looks like the following.

PS C:\GroupReporter> .\GroupsReporter.ps1  -IncludeonPremise

GroupName                    : CloudGroup
Description                  : Group Created on the Cloud
CloudID                      : a501f9ad09d-37db-37db-37db-1a501f9ad09d
GroupTypes                   : Security
WriteBackEnabled             : True
WriteBackAs                  : UniversalSecurityGroup
Source                       : Cloud
OnPremisesSamAccountName     : 
OnPremisesSecurityIdentifier : 

GroupName                    : TechSupport
Description                  : 
CloudID                      : 0023a002-4482-4482-4482-7343f117343f
GroupTypes                   : Security
WriteBackEnabled             : 
WriteBackAs                  : 
Source                       : OnPremis
OnPremisesSamAccountName     : TechSupport
OnPremisesSecurityIdentifier : S-1-5-21-522802610-522802610-522802610-12420

The scripts helps get the cloud group information, if the group is Writeback enabled, it show True next to the WriteBackEnabled property. Also, show the writeback scope, which is listed in the WriteBackAs.

You can Writeback Microsoft 365 Groups as one of the following:

  • Distribution groups.
  • Mail-enabled Security
  • Security groups.

Rate this post