Opening: AD Groups Are a Comfortable LieMost admins believe their Active Directory groups are sacred, perfectly representing some universal truth about who belongs where. They’re not. They’re fossils—meticulously conserved, synchronized into Entra, and paraded around as if they still rule the kingdom. Meanwhile, the cloud laughs quietly in OAuth. These on‑prem lords cling to their domain controllers like medieval nobles refusing to abdicate even as the world runs on APIs and access reviews.Here’s the uncomfortable fact: “Source of Authority,” or SOA, doesn’t mean “where a group happened to be born.” It means who actually governs its existence right now—Active Directory or Entra ID. The difference controls everything from whether you can edit a membership list to whether HR provisioning can actually complete without manual interventions that should’ve died with Windows Server 2008 R2.Modern identity isn’t about replication; it’s about responsiveness. Yet, most organizations still treat Active Directory as scripture. Every group synchronized northward becomes a zombie—visible in Entra but lifeless, grayed out, obeying distant LDAP priests.And that rigidity costs you. Workflow automation breaks, access governance stalls, and any illusion of agility collapses the second a property field says “read‑only because controlled by on‑premises.”By the end of this episode, you’ll know when to flip that Source‑of‑Authority switch and how to do it without setting your hybrid environment on fire. Let’s expose the lie and start liberating your groups from their aging monarch.Section 1: How We Got Here—The Myth of Active Directory SovereigntyOnce upon a time, there was no argument: Active Directory was the sovereign ruler of identity. Users, computers, and groups existed only inside its limestone towers—domain controllers humming with authority. It was the single source of truth for everything that mattered, and for years, that simplicity felt divine.Then came the cloud, and Microsoft was polite enough to invite AD’s relics to visit. The result was synchronization—objects mirrored upward into Azure Active Directory, now known as Entra ID. But while Entra displayed those objects, it never owned them. Think of it as a constitutional monarchy where the royal decrees still came from on‑prem, and Entra merely broadcast them. The result? A system where the local crown keeps issuing laws, but the new parliament can’t amend them.You could see the hierarchy right in the interface. Cloud consoles filled with gray fields—unchangeable memberships, locked roles, and governance tools refusing to launch because the Source of Authority said “Active Directory.” To alter anything meaningful, you descended back into the dark ages of MMC snap‑ins and PowerShell sessions pointed at domain controllers. All because AD refused to relinquish its scepter.Here’s the key correction most admins miss: Source of Authority isn’t a global toggle; it’s per object. Each group, each user, carries its own little flag defining who commands it. Create something on‑prem, and AD claims dominion. Create it in Entra, and the cloud presides. For decades, that boundary was impermeable—the tributaries all flowed north; no river ever returned. Cloud admins could observe but never decree.When hybrid was new, that made sense. The kingdom’s economy still depended on local servers, Exchange clusters, and policies that only AD understood. But as workloads migrated, the crown’s laws grew obsolete, and the parliament in Entra gained better governance, automation, and intelligence. Microsoft didn’t abolish the monarchy; it built a representative government beside it. OAuth and OpenID became the new diplomatic language, while AD kept mumbling about Kerberos tickets and function levels.The tragedy is inertia. Many organizations still behave as if AD’s judgment is absolute, even while their infrastructure lives in the cloud. They tolerate gray menus and blocked automation scripts instead of acknowledging that control has moved. It’s not rebellion to flip the Source of Authority—it’s formal recognition of the reality that your users already live in Entra.So picture it like this: AD sits on an aging throne of LDAP attributes, insisting it still commands the empire. Entra, the modern parliament, drafts new laws that actually affect how people work—dynamic memberships, self‑service, automated access reviews. The difference is legitimacy versus function. One clings to titles; the other governs the real world.And that’s where we are now: caught between loyalty to tradition and the efficiency of democracy. Most of your groups are still listed as AD‑managed, not because it’s right, but because no one’s dared challenge the throne. The next step is understanding that the revolution already succeeded—the crown just hasn’t read its own decommission notice yet.Section 2: Enter Entra ID—When the Cloud Grew a SpineEnter Entra ID—the moment Microsoft’s cloud finally developed a backbone. This isn’t Azure AD in a new outfit; this is identity grown up. It speaks fluent OAuth, OIDC, and SAML—languages of global citizenship, not provincial LDAP dialects. Where AD still thinks inside the walls of a domain, Entra assumes borderless connectivity. The internet is its forest; the directory is a species, not a fortress.You can feel the cultural shift the second you touch Entra’s tooling. Dynamic group membership replaces manual drudgery. Instead of some admin babysitting security groups, you write a rule: “Department equals Finance,” and voilà—membership adjusts automatically. It’s identity Darwinism: evolve or disappear. Then there’s self-service group creation—delegated autonomy without chaos. Users can form working circles for projects, Power BI access, or internal collaboration, and governance keeps it clean.And governance is where Entra flexes hardest. Access reviews, entitlement management, privileges that expire on schedule rather than haunting the domain forever. All of it managed under unified policy intelligence that AD could never dream of. AD was a filing cabinet; Entra is a living workflow engine connected to your HR system, Teams, and Defender policies.Compare that to Active Directory’s ritualized administrivia. Group creation by ticket. Membership change by prayer. No dynamic logic, no audit trails worth mentioning, and compliance auditors forced to decipher exports like archeologists brushing dust off CSVs. AD is rooted in a world where automation meant batch scripts and documentation lived in someone’s My Documents folder.The identity-locality mismatch is now absurd. Eighty percent of your workloads float in the cloud—Exchange Online, SharePoint, Power BI, Dynamics 365—yet every policy decision still orbits a rack-mounted controller in a basement. That’s like trying to manage your global logistics empire through a notepad left on your childhood desk.Entra doesn’t just host identities; it contextualizes them. You can assign conditional access, integrate with Power Automate, or feed Microsoft Sentinel—all in real time. This isn’t replication; it’s orchestration.But, of course, the modern world still needs to talk to the ancestral one. Enter Group Writeback—the diplomatic solution that keeps peace with legacy systems. When configured through Entra Cloud Sync, cloud-authored groups can materialize on-prem, ensuring your aging file servers and applications can still validate access without rewriting history.This bridge does come with fine print. You need a P1 license, Cloud Sync rather than the legacy Connect engine, and the groups must be universal, non-mail-enabled, and security-only. Distribution lists and mail-enabled security groups stay governed by Exchange because messaging still plays by its own rules. In other words, Entra can resend emissaries to AD, but only if those emissaries aren’t carrying mail.And yet, even with those constraints, Group Writeback is monumental. It’s the first treaty between the old monarchy and the new parliament—a controlled backchannel for coexistence. It ensures you can operate in dual worlds without splitting your identity map. And once that treaty is signed, there’s no excuse for continuing to let AD write every law. The bridge exists; it’s time to move the population north.That’s where Source of Authority conversion enters. With group writeback providing the safety net, the next step is evacuation—declaring Entra as the governing body for groups that actually matter in the modern ecosystem. Because authority shouldn’t live where workloads no longer do.Section 3: Why Source of Authority Matters—And Why Yours Is WrongThe Source of Authority bit—isCloudManaged=True—is not just an attribute. It’s a liberation memo. Flip it, and you’re effectively telling Active Directory, “You’ve served your purpose; stand down.” It’s the emancipation proclamation for your groups.So what happens when you don’t flip it? Symptoms appear everywhere. Gray fields that refuse editing. Self-service options eternally disabled. HR provisioning pipelines stalled because changes have to trickle through an obsolete synchronization chain. Every time a user moves departments or a job title changes, you end up hand-patching membership instead of letting logic do the work.The ripple effects spread. Exchange mail-enabled objects remain trapped in their legacy’s gravitational well, dependent on outdated APIs. Security groups, meanwhile, become automation dead zones—blocked from Graph API triggers or adaptive policy assignments. It’s death by governance backlog.The compliance problem is even uglier. Fragmented attribute ownership means no one can prove who changed what and where. Half your identity data is born in Entra, but AD still files the birth certificates, and you can’t submit those to auditors because they’ve been replicated three times along the way. It’s like trying to balance your books when each department keeps its own secret ledger.Treating AD as your ongoing truth source is institut

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.

If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.