AZ_GROUP_WRITEBACK

Summary

FSProtect ACL Alias

AZ_GROUP_WRITEBACK

Entra ID (Azure AD) Alias

Group writeback

Affected Object Types

AZ Group, Group

Exploitation Certainty

Certain

Description

AZ_GROUP_WRITEBACK represents that group writeback is enabled in a hybrid environment.

With group writeback, selected Microsoft Entra ID groups (commonly security groups) are provisioned into on-premises AD DS so they can be used by on-prem applications and access control systems.

Written-back groups can be linked to their cloud originals using attributes such as adminDescription (for example values like Group_<GUID>).

Security impact:

This edge creates a cloud → on-prem authorization control path.

Identification

PowerShell (on-prem AD)

Identify written-back groups by searching for AdminDescription:

Import-Module ActiveDirectory
Get-ADGroup -LDAPFilter "(AdminDescription=*)" -Properties AdminDescription | Select-Object Name, DistinguishedName, AdminDescription

PowerShell (Microsoft Graph)

If the tenant exposes synchronization feature flags, use them as a supplementary signal:

Connect-MgGraph -Scopes "Directory.Read.All","OnPremDirectorySynchronization.Read.All"
$sync = Get-MgDirectoryOnPremiseSynchronization
$sync.Features | Format-List

Important interpretation note:

GroupWriteBackEnabled is the legacy flag.
UnifiedGroupWritebackEnabled is the current flag to trust.

Exploitation

AZ_GROUP_WRITEBACK is not an exploit by itself.

It becomes dangerous when combined with group control:

If a principal has AZ_ADD_MEMBERS on a cloud group that is written back, added members are effectively granted membership in the corresponding on-prem AD group. If that AD group is trusted for permissions, this forms a direct attack path.

Mitigation

Only enable group writeback when there is a concrete business requirement.
Write back into a dedicated OU with tightly controlled ACLs.
Do not use written-back groups for highly privileged on-prem roles (Domain Admin paths, sensitive local admin groups, privileged delegation).
Strictly control who can manage in-scope Entra groups (owners, membership managers, and Graph permissions) and review regularly.
Review who can change membership of written-back groups (see AZ_ADD_MEMBERS) and reduce this set to the minimum.

Detection

Azure

See AZ_ADD_MEMBERS. Monitor Microsoft Entra Audit logs for group membership changes affecting written-back groups.

Active Directory

See AddMember. Monitor on-prem AD Security logs (Security Group Management) for membership change events on the written-back group objects.

References

https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/migrate-group-writeback
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-features
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management

PreviousAZ_GLOBAL_ADMIN NextAZ_HAS_ARM_ROLE

Last updated 2 days ago

Was this helpful?