> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_group_writeback.md).

# AZ\_GROUP\_WRITEBACK

## Summary

|                               |                      |
| ----------------------------- | -------------------- |
| **FSProtect ACL Alias**       | AZ\_GROUP\_WRITEBACK |
| **Entra ID (Azure AD) Alias** | Group writeback      |
| **Affected Object Types**     | AZ Group, Group      |
| **Exploitation Certainty**    | Certain              |

## Description

`AZ_GROUP_WRITEBACK` represents that **group writeback is enabled** in a hybrid environment.

With group writeback, selected **Microsoft Entra ID groups** (commonly **security groups**) are **provisioned into on-premises AD DS** so they can be used by on-prem applications and access control systems.

Written-back groups can be linked to their cloud originals using attributes such as `adminDescription` (for example values like `Group_<GUID>`).

Security impact:

* This edge creates a **cloud → on-prem authorization control path**.

## Identification

### PowerShell (on-prem AD)

Identify written-back groups by searching for `AdminDescription`:

```powershell
Import-Module ActiveDirectory
Get-ADGroup -LDAPFilter "(AdminDescription=*)" -Properties AdminDescription | Select-Object Name, DistinguishedName, AdminDescription
```

### PowerShell (Microsoft Graph)

If the tenant exposes synchronization feature flags, use them as a supplementary signal:

```powershell
Connect-MgGraph -Scopes "Directory.Read.All","OnPremDirectorySynchronization.Read.All"
$sync = Get-MgDirectoryOnPremiseSynchronization
$sync.Features | Format-List
```

Important interpretation note:

* `GroupWriteBackEnabled` is the **legacy** flag.
* `UnifiedGroupWritebackEnabled` is the **current** flag to trust.

## Exploitation

`AZ_GROUP_WRITEBACK` is **not** an exploit by itself.

It becomes dangerous when combined with group control:

* If a principal has [`AZ_ADD_MEMBERS`](https://docs.forestall.io/fsprotect/edges/azure/az_add_members) on a cloud group that is written back, added members are effectively granted membership in the **corresponding on-prem AD group**. If that AD group is trusted for permissions, this forms a direct attack path.

## Mitigation

* Only enable group writeback when there is a concrete business requirement.
* Write back into a **dedicated OU** with tightly controlled ACLs.
* Do not use written-back groups for highly privileged on-prem roles (Domain Admin paths, sensitive local admin groups, privileged delegation).
* Strictly control who can manage in-scope Entra groups (owners, membership managers, and Graph permissions) and review regularly.
* Review who can change membership of written-back groups (see [`AZ_ADD_MEMBERS`](https://docs.forestall.io/fsprotect/edges/azure/az_add_members)) and reduce this set to the minimum.

## Detection

### Azure

See [`AZ_ADD_MEMBERS`](https://docs.forestall.io/fsprotect/edges/azure/az_add_members). Monitor Microsoft Entra **Audit logs** for group membership changes affecting written-back groups.

### Active Directory

See [`AddMember`](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/AD/AddMember/README.md). Monitor on-prem AD **Security** logs (Security Group Management) for membership change events on the written-back group objects.

## References

* <https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/migrate-group-writeback>
* <https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features>
* <https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs>
* <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_group_writeback.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.