Group scoping and attribute based destination mapping

In a recent project, we planed the cloud journey for a customer which tried to get rid of more and more OnPrem resources to modernize the IT, reduce risks, and improve the overall security.

They used an Identity and Access Management (IAM) Tool which was in place for a while and is highly customized for the industry and the company itself. Because of this and some more dependencies we could not easily switch the primary identity provider to Entra ID. But we recognized that we could make a huge step in the “Cloud First“ direction if we could provision groups ( which are the primary IAM lever) in Entra ID first and make some of them usable for authorization in the OnPrem Active Directory.

While writing this article we’re between the end of the ‘Entra Connect Sync’-based ‘Group Writeback’ (V2) and the designated ‘Entra Cloud Sync’ based ‘Group Provisioning’. Because the end of Group Writeback (V2) was already announced, we’ve chosen the new group provisioning method.

By the way: You can use Entra Cloud Sync for security groups only. If you want a management pendant of your M365-Groups also, you still need Entra Connect Sync and ‘Group Writeback’ (V1), which is still supported and the official tool to get it done.

The installation of Entra Cloud Sync is pretty simple. It’s agent-based software that has to be installed on a server in sight of the domain controllers, with the possibility to pull its configuration and jobs from the cloud service. So the configuration is done in Entra ID and the agent is doing its job accordingly.

So we installed the agent on a new server and configured Cloud Sync additionally Connect Sync with the Goal that Connect Sync syncs User and Device Objects from AD to Entra ID, and Cloud Sync provisions Groups from Entra ID to AD. We got this done in our Test-Environment without struggle.

The fun began when we tried to establish a OU-mapping for the provisioned groups. In the Docs is described that you can do it, but the “how“ part is very basic. This blog contains examples that I’ve played around with, to get this job done.

Scoping Filters

Scoping Filters help you to define which groups from Entra ID you will provision. You may not want to sync all groups, but just those that you need for OnPrem authorization scenarios. On the first view, you can just decide between ‘All’ or explicitly selected items. If you want to allow a more dynamic selection you can use the attribute-based scoping filter.

To do so just select ‘All security groups‘ in the group scope and click on ‘+ Add Attribute scoping filter’. Now you can define various filters that help you to provision just the groups you need.

Unfortunately, we can provision non mail-enabled security groups only, furthermore the preview can not handle Custom Schema Extensions, so we cannot use the extensionAttributes1-15, etc. to allow smart filtering. We need to work with the basic attributes like name and description. Conversely, this means that you need to have a solid naming concept & Entra ID group deployment in place to be able to scope accordingly.

As an example, you can use the following filter to just sync groups that match your naming convention:

This Regex-based filter defines that all Security Groups with a Displayname that contains Prefix 'DEV_', 'TST_'& 'PRD_' will be synced to the OnPrem AD. I used chatGPT to create the Regular Expression, which makes it easy.

You can add more filters and combine them with AND / OR Statements to make exclusions.

When you finished your filter set you’ve defined which groups will be synced to the OnPrem AD. Now let’s see how we can modify the sync itself

Attribute Mappings

You can use attribute mappings to modify the values of the group within the sync. You can compare them with the Entra Connect Synchronization Rules. There are a few default mappings that affect the canonical name, the description, and the displayname of the synced group. They help you to avoid conflicts and unsupported values.

An exemplary default mapping for explanation:

Here you can find the Microsoft Documentation which provides more details about the different choices. It’s written for the users part of Entra Cloud Sync, but it’s equal for the group handling: Attribute mapping in Microsoft Entra Cloud Sync - Microsoft Entra ID | Microsoft Learn

Now, we want to add a custom mapping with the goal of defining the distinguished Organizational Unit that should be the target for the provisioned Group. Sure, you can sync all groups easily to a static-defined OU without caring about this customization. But in real life you often need to define the OU for the authorization groups that you use OnPrem. Reasons for this could be a better overview, organization assignments, or predefined LDAP paths that were used by your apps.

To be able to define a dynamic organizational Unit assignment for the provisioned group, you create a new custom Attribute Mapping like this:

This example contains the expression:

This expression uses the first 3 chars to the description attribute to define the target OU. If the Description starts with ‘UC5’, the OU will be ‘OU=GroupsForUseCase5,OU=WriteBackOU,DC=jsflab,DC=com‘ and so on.

With this scoping filter and attribute mapping in place, all groups with the displayname 'DEV_', 'TST_'& 'PRD_' will be provisioned in the OnPrem AD and their target OU will be defined by the values of the description.

Other examples for attribute mapping Expressions are:

EXAMPLE 1
Expression: Append("OU=",Append(Left(Trim([displayName]), 3), "_BackSynced,OU=WriteBackOU,DC=jsflab,DC=com"))
TestValue: [displayname] = DEV_MyLOBApp1
Expression Output: OU=DEV_BackSynced,OU=WriteBackOU,DC=jsflab,DC=com
Explanation: The OU Name will dynamically defined by the first three chars of the displayname

EXAMPLE 2
Expression: Append(Append("OU=",WORD([description],2,": _-")), ",OU=WriteBackOU,DC=jsflab,DC=com")
TestValue: [description] = DefiniedOU: ManagedByProvider1
Expression Output: OU=ManagedByProvider1,OU=WriteBackOU,DC=jsflab,DC=com
Explanation: This expression uses the second word in the description as the name of the OU

All Expressions you can use are described here: Reference for writing expressions for attribute mappings in Microsoft Entra Application Provisioning - Microsoft Entra ID | Microsoft Learn

I used simple mappings based on one attribute, but you see that the Expression can be very complex. It’s hard to write them because there are not so much examples and guides available. I’m happy that Microsoft provides an expression builder. I don’t used it for building the expressions, but to validate and debug my expressions.

So, you are able to provision & sync groups back from EntraID to the OnPrem AD. The scenarios that can be handled with this preview are limited. You definitively need a solid naming and group deployment processes in place policy to be able to use group scoping and attribute mapping. I’m excited to see how the features will be expanded. The possibility to use Graph Schema Extensions for scoping and mapping would be great for solving more complex requirements.

To learn more about group provisioning with Entra Cloud Sync you can start diving in here: Provision groups to Active Directory using Microsoft Entra Cloud Sync - Microsoft Entra ID | Microsoft Learn