SOLVED – Disabling Azure AD Group writeback doesn’t delete groups on prem
Even after disabling group writeback from Azure AD in the connect app, you still have 396 Azure AD groups on prem AD. What to do in such a situation?
Disabling Azure AD Group writeback without activating the group writeback that was the previous admins does not help the above-mentioned problem. If you disable the write back over the ad connect app, it will only delete the groups in your local AD. The original groups in Azure will stay unchanged. The groups that were synced from Azure AD to local AD. No original local AD group that was already created will be deleted.
You May Also Like: SOLVED – How To Get All Data From Last 5 Minutes in SQL
SOLUTION
The AADSync connect account doesn’t have the inherited perms to remove them from the OU. Verify this and re-apply if necessary:
$AzureADConnectSWritebackAccountDN =
Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1”
To grant <MSOL_account> permission to all domains in the forest:
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN $AzureADConnectSWritebackAccountDN
To grant <MSOL_account> permission to specific OU (eg. the OU chosen to writeback Office 365 Groups to):
$GroupWritebackOU =
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN $AzureADConnectSWritebackAccountDN -ADObjectDN $GroupWritebackOU
You May Also Like: SOLVED – How To Update Connection Policy Of Synapse Dedicated SQL Pools
We hope the solutions in the above-mentioned article were helpful. Feel free to share your views with us.