Episode Details
Back to Episodes
Entra ID Source of Authority: fix your AD group ownership before it breaks governance
Season 1
Published 5 months, 4 weeks ago
Description
Source of Authority in Entra ID: in this episode of M365.fm, Mirko Peters explains why your Active Directory groups are not the reliable truth you think they are—and how the Source of Authority flag decides whether AD or Entra ID really runs your identity show. He starts with the “comfortable lie” that synchronized AD groups remain sacred in the cloud, walking through how they actually become zombie objects in Entra: visible but read‑only, blocking modern governance, access reviews, and automation while everyone still pretends on‑prem is in charge.
Mirko traces how we got here: AD once ruled everything on‑prem, then Entra ID (Azure AD) arrived as a polite mirror, reflecting groups upward without ever owning them. Each object carries its own Source of Authority—born in AD, governed by AD; born in Entra, governed by Entra—and most organizations never revisit that split even as their workloads move almost entirely to the cloud. The result is a split‑brain identity system where modern tools like dynamic groups, access reviews, and conditional access are forced to tiptoe around gray, AD‑managed groups that cannot be changed in Entra at all.
He then introduces Entra ID as the new center of gravity and Group Writeback as the critical bridge. With Entra Cloud Sync, cloud‑native security groups can be written back to AD so legacy file servers and apps still recognize them, reversing the old one‑way flow. That capability unlocks the ability to flip Source of Authority for key groups—from AD‑managed to cloud‑managed—without abandoning on‑prem needs. Mirko explains the prerequisites (Entra ID P1, Cloud Sync, universal security groups) and why Exchange‑managed distribution lists remain their own, separate world.
The episode dives into why Source of Authority matters for operations and compliance. As long as AD owns your groups, every change requires domain controller access, legacy tooling, and slow tickets; Entra cannot enforce modern identity governance patterns or provide clean audit trails. Once groups become cloud‑managed, you can use dynamic rules, HR‑driven provisioning, access reviews, entitlement management, and consistent conditional access policies—finally matching where users and workloads actually live. Mirko highlights how this shift reduces manual group maintenance, closes audit gaps, and makes hybrid identity behave like one system instead of two stubborn kingdoms.
You also get a practical migration approach. Mirko recommends starting with business‑critical security groups—those controlling app access, data, and administrative roles—assessing their current Source of Authority, and planning conversions in phases. With Group Writeback providing on‑prem echoes, you can move ownership north to Entra for those groups, keep legacy apps working, and gradually retire AD’s control layer. Along the way, he stresses documentation, communication with security and compliance, and clear roll‑back options so the revolution feels like controlled modernization rather than identity chaos.
WHAT YOU WILL LEARN
Your AD groups are not sacred—they’re stale. Until you flip Source of Authority for the groups that matter and let Entra ID govern them, you will keep pretending on‑prem is in charge while your real security, automation, and compliance live in the cloud with their hands tied.
WHO THIS EPISODE IS FOR
This epi
Mirko traces how we got here: AD once ruled everything on‑prem, then Entra ID (Azure AD) arrived as a polite mirror, reflecting groups upward without ever owning them. Each object carries its own Source of Authority—born in AD, governed by AD; born in Entra, governed by Entra—and most organizations never revisit that split even as their workloads move almost entirely to the cloud. The result is a split‑brain identity system where modern tools like dynamic groups, access reviews, and conditional access are forced to tiptoe around gray, AD‑managed groups that cannot be changed in Entra at all.
He then introduces Entra ID as the new center of gravity and Group Writeback as the critical bridge. With Entra Cloud Sync, cloud‑native security groups can be written back to AD so legacy file servers and apps still recognize them, reversing the old one‑way flow. That capability unlocks the ability to flip Source of Authority for key groups—from AD‑managed to cloud‑managed—without abandoning on‑prem needs. Mirko explains the prerequisites (Entra ID P1, Cloud Sync, universal security groups) and why Exchange‑managed distribution lists remain their own, separate world.
The episode dives into why Source of Authority matters for operations and compliance. As long as AD owns your groups, every change requires domain controller access, legacy tooling, and slow tickets; Entra cannot enforce modern identity governance patterns or provide clean audit trails. Once groups become cloud‑managed, you can use dynamic rules, HR‑driven provisioning, access reviews, entitlement management, and consistent conditional access policies—finally matching where users and workloads actually live. Mirko highlights how this shift reduces manual group maintenance, closes audit gaps, and makes hybrid identity behave like one system instead of two stubborn kingdoms.
You also get a practical migration approach. Mirko recommends starting with business‑critical security groups—those controlling app access, data, and administrative roles—assessing their current Source of Authority, and planning conversions in phases. With Group Writeback providing on‑prem echoes, you can move ownership north to Entra for those groups, keep legacy apps working, and gradually retire AD’s control layer. Along the way, he stresses documentation, communication with security and compliance, and clear roll‑back options so the revolution feels like controlled modernization rather than identity chaos.
WHAT YOU WILL LEARN
- What Source of Authority really is and how it splits control between AD and Entra ID.
- Why synchronized AD groups become “zombie groups” in Entra—visible but blocked from modern governance.
- How Entra Cloud Sync and Group Writeback let cloud‑managed groups safely appear on‑prem again.
- Why moving group authority to Entra unlocks dynamic groups, access reviews, and cleaner audit trails.
- How to plan a phased Source‑of‑Authority migration without breaking hybrid apps or file server access.
Your AD groups are not sacred—they’re stale. Until you flip Source of Authority for the groups that matter and let Entra ID govern them, you will keep pretending on‑prem is in charge while your real security, automation, and compliance live in the cloud with their hands tied.
WHO THIS EPISODE IS FOR
This epi