Sign up to save your podcasts
Or
Share Your AD Groups Are A Lie: Fix Source of Authority NOW
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Your AD Groups Are A Lie: Fix Source of Authority NOW
Opening: AD Groups Are a Comfortable Lie
Most admins believe their Active Directory groups are sacred, perfectly representing some universal truth about who belongs where. They’re not. They’re fossils—meticulously conserved, synchronized into Entra, and paraded around as if they still rule the kingdom. Meanwhile, the cloud laughs quietly in OAuth. These on‑prem lords cling to their domain controllers like medieval nobles refusing to abdicate even as the world runs on APIs and access reviews.
Here’s the uncomfortable fact: “Source of Authority,” or SOA, doesn’t mean “where a group happened to be born.” It means who actually governs its existence right now—Active Directory or Entra ID. The difference controls everything from whether you can edit a membership list to whether HR provisioning can actually complete without manual interventions that should’ve died with Windows Server 2008 R2.
Modern identity isn’t about replication; it’s about responsiveness. Yet, most organizations still treat Active Directory as scripture. Every group synchronized northward becomes a zombie—visible in Entra but lifeless, grayed out, obeying distant LDAP priests.
And that rigidity costs you. Workflow automation breaks, access governance stalls, and any illusion of agility collapses the second a property field says “read‑only because controlled by on‑premises.”
By the end of this episode, you’ll know when to flip that Source‑of‑Authority switch and how to do it without setting your hybrid environment on fire. Let’s expose the lie and start liberating your groups from their aging monarch.
Section 1: How We Got Here—The Myth of Active Directory Sovereignty
Once upon a time, there was no argument: Active Directory was the sovereign ruler of identity. Users, computers, and groups existed only inside its limestone towers—domain controllers humming with authority. It was the single source of truth for everything that mattered, and for years, that simplicity felt divine.
Then came the cloud, and Microsoft was polite enough to invite AD’s relics to visit. The result was synchronization—objects mirrored upward into Azure Active Directory, now known as Entra ID. But while Entra displayed those objects, it never owned them. Think of it as a constitutional monarchy where the royal decrees still came from on‑prem, and Entra merely broadcast them. The result? A system where the local crown keeps issuing laws, but the new parliament can’t amend them.
You could see the hierarchy right in the interface. Cloud consoles filled with gray fields—unchangeable memberships, locked roles, and governance tools refusing to launch because the Source of Authority said “Active Directory.” To alter anything meaningful, you descended back into the dark ages of MMC snap‑ins and PowerShell sessions pointed at domain controllers. All because AD refused to relinquish its scepter.
Here’s the key correction most admins miss: Source of Authority isn’t a global toggle; it’s per object. Each group, each user, carries its own little flag defining who commands it. Create something on‑prem, and AD claims dominion. Create it in Entra, and the cloud presides. For decades, that boundary was impermeable—the tributaries all flowed north; no river ever returned. Cloud admins could observe but never decree.
When hybrid was new, that made sense. The kingdom’s economy still depended on local servers, Exchange clusters, and policies that only AD understood. But as workloads migrated, the crown’s laws grew obsolete, and the parliament in Entra gained better governance, automation, and intelligence. Microsoft didn’t abolish the monarchy; it built a representative government beside it. OAuth and OpenID became the new diplomatic language, while AD kept mumbling about Kerberos tickets and function levels.
The tragedy is inertia. Many organizations still behave as if AD’s judgment is absolute, even while their infrastructure lives in the cloud. They tolerate gray menus and blocked automation scripts instead of acknowledging that control has moved. It’s not rebellion to flip the Source of Authority—it’s formal recognition of the reality that your users already live in Entra.
So picture it like this: AD sits on an aging throne of LDAP attributes, insisting it still commands the empire. Entra, the modern parliament, drafts new laws that actually affect how people work—dynamic memberships, self‑service, automated access reviews. The difference is legitimacy versus function. One clings to titles; the other governs the real world.
And that’s where we are now: caught between loyalty to tradition and the efficiency of democracy. Most of your groups are still listed as AD‑managed, not because it’s right, but because no one’s dared challenge the throne. The next step is understanding that the revolution already succeeded—the crown just hasn’t read its own decommission notice yet.
Section 2: Enter Entra ID—When the Cloud Grew a Spine
Enter Entra ID—the moment Microsoft’s cloud finally developed a backbone. This isn’t Azure AD in a new outfit; this is identity grown up. It speaks fluent OAuth, OIDC, and SAML—languages of global citizenship, not provincial LDAP dialects. Where AD still thinks inside the walls of a domain, Entra assumes borderless connectivity. The internet is its forest; the directory is a species, not a fortress.
You can feel the cultural shift the second you touch Entra’s tooling. Dynamic group membership replaces manual drudgery. Instead of some admin babysitting security groups, you write a rule: “Department equals Finance,” and voilà—membership adjusts automatically. It’s identity Darwinism: evolve or disappear. Then there’s self-service group creation—delegated autonomy without chaos. Users can form working circles for projects, Power BI access, or internal collaboration, and governance keeps it clean.
And governance is where Entra flexes hardest. Access reviews, entitlement management, privileges that expire on schedule rather than haunting the domain forever. All of it managed under unified policy intelligence that AD could never dream of. AD was a filing cabinet; Entra is a living workflow engine connected to your HR system, Teams, and Defender policies.
Compare that to Active Directory’s ritualized administrivia. Group creation by ticket. Membership change by prayer. No dynamic logic, no audit trails worth mentioning, and compliance auditors forced to decipher exports like archeologists brushing dust off CSVs. AD is rooted in a world where automation meant batch scripts and documentation lived in someone’s My Documents folder.
The identity-locality mismatch is now absurd. Eighty percent of your workloads float in the cloud—Exchange Online, SharePoint, Power BI, Dynamics 365—yet every policy decision still orbits a rack-mounted controller in a basement. That’s like trying to manage your global logistics empire through a notepad left on your childhood desk.
Entra doesn’t just host identities; it contextualizes them. You can assign conditional access, integrate with Power Automate, or feed Microsoft Sentinel—all in real time. This isn’t replication; it’s orchestration.
But, of course, the modern world still needs to talk to the ancestral one. Enter Group Writeback—the diplomatic solution that keeps peace with legacy systems. When configured through Entra Cloud Sync, cloud-authored groups can materialize on-prem, ensuring your aging file servers and applications can still validate access without rewriting history.
This bridge does come with fine print. You need a P1 license, Cloud Sync rather than the legacy Connect engine, and the groups must be universal, non-mail-enabled, and security-only. Distribution lists and mail-enabled security groups stay governed by Exchange because messaging still plays by its own rules. In other words, Entra can resend emissaries to AD, but only if those emissaries aren’t carrying mail.
And yet, even with those constraints, Group Writeback is monumental. It’s the first treaty between the old monarchy and the new parliament—a controlled backchannel for coexistence. It ensures you can operate in dual worlds without splitting your identity map. And once that treaty is signed, there’s no excuse for continuing to let AD write every law. The bridge exists; it’s time to move the population north.
That’s where Source of Authority conversion enters. With group writeback providing the safety net, the next step is evacuation—declaring Entra as the governing body for groups that actually matter in the modern ecosystem. Because authority shouldn’t live where workloads no longer do.
Section 3: Why Source of Authority Matters—And Why Yours Is Wrong
The Source of Authority bit—isCloudManaged=True—is not just an attribute. It’s a liberation memo. Flip it, and you’re effectively telling Active Directory, “You’ve served your purpose; stand down.” It’s the emancipation proclamation for your groups.
So what happens when you don’t flip it? Symptoms appear everywhere. Gray fields that refuse editing. Self-service options eternally disabled. HR provisioning pipelines stalled because changes have to trickle through an obsolete synchronization chain. Every time a user moves departments or a job title changes, you end up hand-patching membership instead of letting logic do the work.
The ripple effects spread. Exchange mail-enabled objects remain trapped in their legacy’s gravitational well, dependent on outdated APIs. Security groups, meanwhile, become automation dead zones—blocked from Graph API triggers or adaptive policy assignments. It’s death by governance backlog.
The compliance problem is even uglier. Fragmented attribute ownership means no one can prove who changed what and where. Half your identity data is born in Entra, but AD still files the birth certificates, and you can’t submit those to auditors because they’ve been replicated three times along the way. It’s like trying to balance your books when each department keeps its own secret ledger.
Treating AD as your ongoing truth source is institutional laziness. It’s like insisting on faxing signed documents in a world running Teams, Power Automate, and eSign. Sure, it still “works,” but it’s embarrassing.
Microsoft understands this inertia, which is why their official guidance now reads like a therapy program. The five-phase transformation model goes from “cloud-curious” through “cloud-first,” “cloud-dominant,” and finally “AD-minimized.” You can almost hear Satya whispering: “let it go.” The idea is to acknowledge that sovereignty should follow functionality.
At stage one, you merely dabble—Exchange Online here, SharePoint Online there—but you still worship your local controllers. At stage two, you begin syncing and start trusting Entra enough to create a few cloud-native objects. Stage three through five mark the psychological shift: AD becomes an archival service for whatever’s left behind, not a governing authority. It’s like phasing out monarchy by quietly moving Parliament to the capital and leaving the king alone in the countryside.
Why does Source of Authority define maturity? Because governance scales only when it’s unified. The moment Entra owns the group, every automation, API, and access-review engine in the Microsoft ecosystem suddenly obeys a single set of modern rules. Lifecycle policies can trigger deletions; privilege identity management can time-limit roles; HR provisioning can write directly without waiting for Connect syncs. That’s operational harmony—AD simply cannot conduct that orchestra anymore.
Most organizations, though, stop halfway. They admire Entra’s capabilities but still let AD be the landlord. It’s the equivalent of moving your family into a new smart home while still mailing rent checks to the abandoned one. All your energy goes into maintaining a lease on irrelevance.
Change the Source of Authority, and you change your operational physics. Suddenly governance works top-down. The audit logs live where your users authenticate. The compliance dashboards finally show reality rather than echoes. The cloud stops being a mirror and becomes the master record.
Before you rush off to patch attributes, though, there’s one ceremonial step left—cleansing the directory. Because flipping SOA on dirty data is like crowning a new ruler in a plague pit. You first purge the zombies, classify the survivors, and then migrate. Think of it as a coronation preceded by an elaborate cleansing ritual.
So yes, your Source of Authority is probably wrong. Not morally, but mechanically. You’re enforcing the sovereignty of an empire that no longer funds itself, while the republic next door is already running your economy. The sooner you flip that isCloudManaged bit, the sooner your identity governance starts acting like it’s from this decade. And once you’ve cleaned the data, you can perform that migration without chaos—and without begging the old king for permission.
Section 4: Prep Work—Cleansing, Categorizing, and Converting
Before you can proclaim Entra the rightful sovereign, you have to clean the kingdom. Because if you simply flip Source of Authority without cleansing your groups, you’ll inherit not a functional republic, but a digital landfill—half-dead ACLs from 2008, groups with no purpose, memberships drawn from long-retired executives, and GUID ghosts still haunting SharePoint permissions.
The first step is inventory. Not the “we think we have about 10,000 groups” kind of inventory—an actual interrogation. Ask each object: Do you still serve a purpose? Which application references you? When was the last time your membership changed? If the answer involves “nobody remembers,” congratulations: that’s a zombie. Delete it with prejudice. Microsoft even formalized this with what they call the “scream test.” You disable it and wait for someone to yell. Silence means clean deletion.
Once your graveyard is cleared, classification begins. Every surviving group fits one of three archetypes: cloud-focused, dual-use, or obsolete-but-still-mysteriously-referenced. Cloud-focused objects live entirely in the Entra ecosystem—Teams permissions, Power Platform roles, SharePoint Online accesses. Dual-use groups are transitional, still serving an occasional file share or legacy SQL auth call. The rest—those phantom ACLs used by retired applications—belong in deletion queue number two.
Then comes eligibility. AD, predictably, doesn’t make this easy. To be eligible for Group Writeback and modern management, the group must be universal, security-only, and non-mail-enabled. Global? Convert it to universal. Distribution? Stop pretending that e-mail routing equals access control. Mail-enabled security? Fine, finish your Exchange migration first, because the Exchange APIs remain their own kingdom. You can’t convert what Entra doesn’t fully govern yet.
Every hybrid setup still clinging to on-prem mail has one critical rule: finish the mail migration first. Only pure cloud messaging estates qualify for Source of Authority conversion. Anything else risks a civil war between Entra policies and Exchange schema.
Now, the technical act itself—this is where most admins overthink. There’s no dramatic wizard. It’s a single API patch in Microsoft Graph Explorer. You authenticate, fetch the group’s object ID, and perform a PATCH request setting isCloudManaged to true. That’s it. One Boolean flips, and the chain of authority changes domain. AD becomes witness, not ruler.
You need proper scope to do this—specifically, the Group.OnPremisesSyncBehavior permission. Grant it once in Graph Explorer, consent globally, and you’re free to convert. No premium license for the switch itself, though you’ll need P1 for Group Writeback. Microsoft, for once, doesn’t charge for freedom—only for the round trip.
Immediately after the flip, add governance scaffolding. Assign at least one owner (and not “Domain Admins,” please). Enable self-service to let teams request membership without helpdesk tickets. Link the group into Access Packages and Access Reviews so it inherits lifecycle controls and compliance oversight. The post-conversion stage is where Entra begins to justify its authority—dynamic rules, approval flows, automated expirations.
And because you’re a responsible adult now, document the conversion. Audit logs automatically capture the event, but humans forget why they performed it. Note what’s been flipped, what remains pending, and who screamed during tests.
Humor with truth: when you finish, you’ll notice that formerly grayed-out membership fields in the portal suddenly turn editable. It feels dangerously empowering. That’s Microsoft finally admitting you can manage without supervision.
At this point, most organizations breathe a sigh of relief—until they realize not everyone has followed them into the cloud. Some servers still authenticate against legacy groups. That’s where Group Writeback redeems its reputation. By adding the converted Entra groups into the writeback scope, you allow them to project identities downward, ensuring ancient systems can still resolve access. It’s diplomacy again—new citizens managing old borders.
Once you’ve executed batch conversions, monitor synchronization cycles and review audit entries for each group. The rare failure usually traces back to mislabelled distribution lists or non-universal scopes. Correct and repeat until parity stabilizes.
When the dust settles, you’ll stand with a hybrid directory where Entra governs and AD merely mirrors. It’s democracy with a ceremonial monarch—perfectly British.
Section 5: Post‑Conversion Reality—Living in a Dual‑Authority World
After conversion, reality looks less utopian and more like a constitutional compromise. You have Entra-managed groups enjoying all the modern privileges: dynamic memberships, owner assignments, automated reviews. Simultaneously, you have AD relics that still gatekeep certain file shares or VPNs. And somewhere in between, some groups are mirrored through Group Writeback—citizens of both worlds, recognized by each but fully controlled by neither.
Managing this trinity requires strategy, not improvisation. Start with human-centric groups—those tied to departments, projects, or HR data. These belong in Entra; their memberships change dynamically with role attributes. Next, migrate security-role groups that define application access. Last come the vestigial distribution lists. Their time will come once Exchange hands them over.
Operationally, unification pays off fast. Your audits simplify—they run from a single pane showing which identities belong to which group and why. Governance reviews actually produce action instead of spreadsheets collecting dust. The Graph API now responds when automation requests membership changes, and Power Automate flows no longer fail because “property is read-only.” It’s liberation disguised as progress.
For HR systems and provisioning tools, the workflow inverts. Instead of shoving updates into AD and waiting for Connect to sync upward, they now talk straight to Entra through the Provisioning API. It’s faster, cleaner, and verifiable in logs that auditors can actually interpret without necromancy. Legacy connectors stay around only for the assets still breathing local air—file servers, line-of-business apps, and the occasional VPN concentrator waiting for retirement.
Monitoring becomes straightforward. Every Source-of-Authority change writes to the audit log, visible under Governance > Activity. You can filter by ChangedBy, TargetId, or OperationType, watching who’s taking groups to the cloud. Access Reviews then enforce lifecycle: if no owner reaffirms purpose, Entra retires them automatically. No more zombie objects idling in compliance purgatory.
Expect to maintain this dual-authority world for a while. A complete purge of AD-linked groups rarely happens overnight—politics and procurement stall reality. But that’s fine. Each cycle of conversions shortens the list of holdouts, and those holdouts lose influence as fewer systems depend on them. Eventually, you’ll check your configuration and realize that AD is running purely for backward compatibility and nostalgia.
Keep an eye on Microsoft’s trajectory: group Source of Authority conversion was only phase one. User-level conversion is next, enabling direct identity control from Entra without relying on AD at all. That’s the horizon line—pure cloud governance with optional writeback for the fossils that refuse extinction.
The dual system isn’t a burden; it’s the transitional ecosystem between eras. Treat AD as the legacy archive of record and Entra as the living constitution. They coexist, but only one evolves. Every month, run a simple audit: “Which groups remain AD-managed, and why?” If the answer sounds like sentimentality, schedule their conversion.
Administrators often find themselves oddly emotional at this stage—watching domains they’ve nurtured for decades become redundant. There’s a psychology to letting go of authority, even digital authority. But remember: progress is not betrayal; it’s succession.
Reframe success metrics from uptime of domain controllers to agility of governance. The more you automate through Entra, the less energy you spend maintaining ceremonial infrastructure. Eventually, Active Directory becomes what it always should have been—a backend for the few legacy identities still in exile.
And when you finally decommission your last on-prem controller, don’t mourn it. Archive its logs, display its last event ID proudly, and move on. Because by then, your identity realm will no longer revolve around a local clock or a dusty OU structure—it will live where your users already live: in the cloud, under Entra, governed by policies that refresh with the same frequency as reality itself.
Section 6: The Real Reason People Don’t Do This
Here’s the dirty truth: most admins don’t avoid Source of Authority conversion because it’s hard. They avoid it because it’s emotional. Active Directory isn’t code to them—it’s heritage. It’s the fortress they built early in their career, the domain where they held absolute power. Changing that feels like surrender.
Comfort masquerades as stability. They say, “Our hybrid setup works fine.” Of course it does, in the same way a cassette tape still plays music—technically correct but existentially obsolete. AD’s blinking green lights soothe the anxious admin soul. You can touch it, back it up, even walk down the server room to hug it during a maintenance window. The cloud offers no such reassurance. It’s everywhere and nowhere—logical, efficient, terrifyingly abstract.
The result is cognitive dissonance in patch cables. On one hand, they evangelize AI-driven governance and cloud automation. On the other, they panic if a domain controller’s fan sounds different. They call it prudence; it’s really nostalgia with a sysadmin lanyard.
Then there’s ego economics. Many organizations justify keeping AD purely because “it’s already there.” Translation: someone doesn’t want to explain to management that the infrastructure they’ve spent years maintaining has become ornamental. No one wants to be the administrator whose career milestone—“built the domain from scratch”—becomes a historical footnote. But let’s face it, maintaining AD for ego costs more than migrating it for efficiency. Electricity, licensing, patch management—each one a monthly invoice to denial.
And yet, it’s 2024. Some shops still treat domain controllers like family heirlooms, polishing them during weekend maintenance. It’s sentimental, almost sweet. But identity authority isn’t a nostalgia project—it’s a governance engine. Authority must live where activity lives, and right now, that’s the cloud. The place your users authenticate, collaborate, and get security enforced—the only place that matters.
This reluctance isn’t villainy. It’s inertia. Admins don’t mean to perpetuate the lie; they simply confuse familiarity with control. The truth? You’re not losing power—you’re relocating it. Moving Source of Authority to Entra doesn’t erase your expertise; it makes it relevant again. AD will survive as an archive, but the cloud is the arena where governance actually plays out. The sooner you accept that, the sooner you stop babysitting virtual ghosts.
Conclusion: Reclaiming Authority
Your groups don’t need therapy—they need emancipation. For decades, Active Directory raised them, disciplined them, and decided their destinies. But parenthood ends when the children outgrow the house, and Entra is that adulthood. Stop forcing cloud-native systems to obey an on-prem curfew.
Think of AD as the photo album—it holds memories. Entra is the person those memories belong to. By insisting AD remain in charge, you’re syncing baby pictures while the grown version is running an enterprise. It’s tender, but it’s wasteful. Identity must live where it acts, and today, action lives in Entra.
So reclaim authority—not from Microsoft or from policy logs, but from your own outdated instincts. Flip that bit. Set isCloudManaged to true. Assign ownership where governance belongs. Stop treating updates like foreign invasions and start treating them like maturation.
Because the longer you pretend your groups owe allegiance to a basement controller, the longer you delay every automation, every access review, every compliance proof that could’ve been done already. AD had its golden age; let it retire gracefully. Its function now is archival, not authoritarian.
Here’s the provocation: sovereignty isn’t about holding the crown. It’s about holding relevance. The admins who embrace Entra as their new capital will run circles around those worshipping at the altar of SYSVOL.
Now, if you’re ready to stop endlessly syncing the past and start governing the present, subscribe. Comment with your biggest hybrid headache, and join the ones who don’t fear the switch—they automate it. Authority isn’t given; it’s maintained. The question is: who’s maintaining yours?
This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit m365.show/subscribe
View all episodes
By Mirko Peters - Microsoft 365 Expert PodcastOpening: AD Groups Are a Comfortable Lie
Most admins believe their Active Directory groups are sacred, perfectly representing some universal truth about who belongs where. They’re not. They’re fossils—meticulously conserved, synchronized into Entra, and paraded around as if they still rule the kingdom. Meanwhile, the cloud laughs quietly in OAuth. These on‑prem lords cling to their domain controllers like medieval nobles refusing to abdicate even as the world runs on APIs and access reviews.
Here’s the uncomfortable fact: “Source of Authority,” or SOA, doesn’t mean “where a group happened to be born.” It means who actually governs its existence right now—Active Directory or Entra ID. The difference controls everything from whether you can edit a membership list to whether HR provisioning can actually complete without manual interventions that should’ve died with Windows Server 2008 R2.
Modern identity isn’t about replication; it’s about responsiveness. Yet, most organizations still treat Active Directory as scripture. Every group synchronized northward becomes a zombie—visible in Entra but lifeless, grayed out, obeying distant LDAP priests.
And that rigidity costs you. Workflow automation breaks, access governance stalls, and any illusion of agility collapses the second a property field says “read‑only because controlled by on‑premises.”
By the end of this episode, you’ll know when to flip that Source‑of‑Authority switch and how to do it without setting your hybrid environment on fire. Let’s expose the lie and start liberating your groups from their aging monarch.
Section 1: How We Got Here—The Myth of Active Directory Sovereignty
Once upon a time, there was no argument: Active Directory was the sovereign ruler of identity. Users, computers, and groups existed only inside its limestone towers—domain controllers humming with authority. It was the single source of truth for everything that mattered, and for years, that simplicity felt divine.
Then came the cloud, and Microsoft was polite enough to invite AD’s relics to visit. The result was synchronization—objects mirrored upward into Azure Active Directory, now known as Entra ID. But while Entra displayed those objects, it never owned them. Think of it as a constitutional monarchy where the royal decrees still came from on‑prem, and Entra merely broadcast them. The result? A system where the local crown keeps issuing laws, but the new parliament can’t amend them.
You could see the hierarchy right in the interface. Cloud consoles filled with gray fields—unchangeable memberships, locked roles, and governance tools refusing to launch because the Source of Authority said “Active Directory.” To alter anything meaningful, you descended back into the dark ages of MMC snap‑ins and PowerShell sessions pointed at domain controllers. All because AD refused to relinquish its scepter.
Here’s the key correction most admins miss: Source of Authority isn’t a global toggle; it’s per object. Each group, each user, carries its own little flag defining who commands it. Create something on‑prem, and AD claims dominion. Create it in Entra, and the cloud presides. For decades, that boundary was impermeable—the tributaries all flowed north; no river ever returned. Cloud admins could observe but never decree.
When hybrid was new, that made sense. The kingdom’s economy still depended on local servers, Exchange clusters, and policies that only AD understood. But as workloads migrated, the crown’s laws grew obsolete, and the parliament in Entra gained better governance, automation, and intelligence. Microsoft didn’t abolish the monarchy; it built a representative government beside it. OAuth and OpenID became the new diplomatic language, while AD kept mumbling about Kerberos tickets and function levels.
The tragedy is inertia. Many organizations still behave as if AD’s judgment is absolute, even while their infrastructure lives in the cloud. They tolerate gray menus and blocked automation scripts instead of acknowledging that control has moved. It’s not rebellion to flip the Source of Authority—it’s formal recognition of the reality that your users already live in Entra.
So picture it like this: AD sits on an aging throne of LDAP attributes, insisting it still commands the empire. Entra, the modern parliament, drafts new laws that actually affect how people work—dynamic memberships, self‑service, automated access reviews. The difference is legitimacy versus function. One clings to titles; the other governs the real world.
And that’s where we are now: caught between loyalty to tradition and the efficiency of democracy. Most of your groups are still listed as AD‑managed, not because it’s right, but because no one’s dared challenge the throne. The next step is understanding that the revolution already succeeded—the crown just hasn’t read its own decommission notice yet.
Section 2: Enter Entra ID—When the Cloud Grew a Spine
Enter Entra ID—the moment Microsoft’s cloud finally developed a backbone. This isn’t Azure AD in a new outfit; this is identity grown up. It speaks fluent OAuth, OIDC, and SAML—languages of global citizenship, not provincial LDAP dialects. Where AD still thinks inside the walls of a domain, Entra assumes borderless connectivity. The internet is its forest; the directory is a species, not a fortress.
You can feel the cultural shift the second you touch Entra’s tooling. Dynamic group membership replaces manual drudgery. Instead of some admin babysitting security groups, you write a rule: “Department equals Finance,” and voilà—membership adjusts automatically. It’s identity Darwinism: evolve or disappear. Then there’s self-service group creation—delegated autonomy without chaos. Users can form working circles for projects, Power BI access, or internal collaboration, and governance keeps it clean.
And governance is where Entra flexes hardest. Access reviews, entitlement management, privileges that expire on schedule rather than haunting the domain forever. All of it managed under unified policy intelligence that AD could never dream of. AD was a filing cabinet; Entra is a living workflow engine connected to your HR system, Teams, and Defender policies.
Compare that to Active Directory’s ritualized administrivia. Group creation by ticket. Membership change by prayer. No dynamic logic, no audit trails worth mentioning, and compliance auditors forced to decipher exports like archeologists brushing dust off CSVs. AD is rooted in a world where automation meant batch scripts and documentation lived in someone’s My Documents folder.
The identity-locality mismatch is now absurd. Eighty percent of your workloads float in the cloud—Exchange Online, SharePoint, Power BI, Dynamics 365—yet every policy decision still orbits a rack-mounted controller in a basement. That’s like trying to manage your global logistics empire through a notepad left on your childhood desk.
Entra doesn’t just host identities; it contextualizes them. You can assign conditional access, integrate with Power Automate, or feed Microsoft Sentinel—all in real time. This isn’t replication; it’s orchestration.
But, of course, the modern world still needs to talk to the ancestral one. Enter Group Writeback—the diplomatic solution that keeps peace with legacy systems. When configured through Entra Cloud Sync, cloud-authored groups can materialize on-prem, ensuring your aging file servers and applications can still validate access without rewriting history.
This bridge does come with fine print. You need a P1 license, Cloud Sync rather than the legacy Connect engine, and the groups must be universal, non-mail-enabled, and security-only. Distribution lists and mail-enabled security groups stay governed by Exchange because messaging still plays by its own rules. In other words, Entra can resend emissaries to AD, but only if those emissaries aren’t carrying mail.
And yet, even with those constraints, Group Writeback is monumental. It’s the first treaty between the old monarchy and the new parliament—a controlled backchannel for coexistence. It ensures you can operate in dual worlds without splitting your identity map. And once that treaty is signed, there’s no excuse for continuing to let AD write every law. The bridge exists; it’s time to move the population north.
That’s where Source of Authority conversion enters. With group writeback providing the safety net, the next step is evacuation—declaring Entra as the governing body for groups that actually matter in the modern ecosystem. Because authority shouldn’t live where workloads no longer do.
Section 3: Why Source of Authority Matters—And Why Yours Is Wrong
The Source of Authority bit—isCloudManaged=True—is not just an attribute. It’s a liberation memo. Flip it, and you’re effectively telling Active Directory, “You’ve served your purpose; stand down.” It’s the emancipation proclamation for your groups.
So what happens when you don’t flip it? Symptoms appear everywhere. Gray fields that refuse editing. Self-service options eternally disabled. HR provisioning pipelines stalled because changes have to trickle through an obsolete synchronization chain. Every time a user moves departments or a job title changes, you end up hand-patching membership instead of letting logic do the work.
The ripple effects spread. Exchange mail-enabled objects remain trapped in their legacy’s gravitational well, dependent on outdated APIs. Security groups, meanwhile, become automation dead zones—blocked from Graph API triggers or adaptive policy assignments. It’s death by governance backlog.
The compliance problem is even uglier. Fragmented attribute ownership means no one can prove who changed what and where. Half your identity data is born in Entra, but AD still files the birth certificates, and you can’t submit those to auditors because they’ve been replicated three times along the way. It’s like trying to balance your books when each department keeps its own secret ledger.
Treating AD as your ongoing truth source is institutional laziness. It’s like insisting on faxing signed documents in a world running Teams, Power Automate, and eSign. Sure, it still “works,” but it’s embarrassing.
Microsoft understands this inertia, which is why their official guidance now reads like a therapy program. The five-phase transformation model goes from “cloud-curious” through “cloud-first,” “cloud-dominant,” and finally “AD-minimized.” You can almost hear Satya whispering: “let it go.” The idea is to acknowledge that sovereignty should follow functionality.
At stage one, you merely dabble—Exchange Online here, SharePoint Online there—but you still worship your local controllers. At stage two, you begin syncing and start trusting Entra enough to create a few cloud-native objects. Stage three through five mark the psychological shift: AD becomes an archival service for whatever’s left behind, not a governing authority. It’s like phasing out monarchy by quietly moving Parliament to the capital and leaving the king alone in the countryside.
Why does Source of Authority define maturity? Because governance scales only when it’s unified. The moment Entra owns the group, every automation, API, and access-review engine in the Microsoft ecosystem suddenly obeys a single set of modern rules. Lifecycle policies can trigger deletions; privilege identity management can time-limit roles; HR provisioning can write directly without waiting for Connect syncs. That’s operational harmony—AD simply cannot conduct that orchestra anymore.
Most organizations, though, stop halfway. They admire Entra’s capabilities but still let AD be the landlord. It’s the equivalent of moving your family into a new smart home while still mailing rent checks to the abandoned one. All your energy goes into maintaining a lease on irrelevance.
Change the Source of Authority, and you change your operational physics. Suddenly governance works top-down. The audit logs live where your users authenticate. The compliance dashboards finally show reality rather than echoes. The cloud stops being a mirror and becomes the master record.
Before you rush off to patch attributes, though, there’s one ceremonial step left—cleansing the directory. Because flipping SOA on dirty data is like crowning a new ruler in a plague pit. You first purge the zombies, classify the survivors, and then migrate. Think of it as a coronation preceded by an elaborate cleansing ritual.
So yes, your Source of Authority is probably wrong. Not morally, but mechanically. You’re enforcing the sovereignty of an empire that no longer funds itself, while the republic next door is already running your economy. The sooner you flip that isCloudManaged bit, the sooner your identity governance starts acting like it’s from this decade. And once you’ve cleaned the data, you can perform that migration without chaos—and without begging the old king for permission.
Section 4: Prep Work—Cleansing, Categorizing, and Converting
Before you can proclaim Entra the rightful sovereign, you have to clean the kingdom. Because if you simply flip Source of Authority without cleansing your groups, you’ll inherit not a functional republic, but a digital landfill—half-dead ACLs from 2008, groups with no purpose, memberships drawn from long-retired executives, and GUID ghosts still haunting SharePoint permissions.
The first step is inventory. Not the “we think we have about 10,000 groups” kind of inventory—an actual interrogation. Ask each object: Do you still serve a purpose? Which application references you? When was the last time your membership changed? If the answer involves “nobody remembers,” congratulations: that’s a zombie. Delete it with prejudice. Microsoft even formalized this with what they call the “scream test.” You disable it and wait for someone to yell. Silence means clean deletion.
Once your graveyard is cleared, classification begins. Every surviving group fits one of three archetypes: cloud-focused, dual-use, or obsolete-but-still-mysteriously-referenced. Cloud-focused objects live entirely in the Entra ecosystem—Teams permissions, Power Platform roles, SharePoint Online accesses. Dual-use groups are transitional, still serving an occasional file share or legacy SQL auth call. The rest—those phantom ACLs used by retired applications—belong in deletion queue number two.
Then comes eligibility. AD, predictably, doesn’t make this easy. To be eligible for Group Writeback and modern management, the group must be universal, security-only, and non-mail-enabled. Global? Convert it to universal. Distribution? Stop pretending that e-mail routing equals access control. Mail-enabled security? Fine, finish your Exchange migration first, because the Exchange APIs remain their own kingdom. You can’t convert what Entra doesn’t fully govern yet.
Every hybrid setup still clinging to on-prem mail has one critical rule: finish the mail migration first. Only pure cloud messaging estates qualify for Source of Authority conversion. Anything else risks a civil war between Entra policies and Exchange schema.
Now, the technical act itself—this is where most admins overthink. There’s no dramatic wizard. It’s a single API patch in Microsoft Graph Explorer. You authenticate, fetch the group’s object ID, and perform a PATCH request setting isCloudManaged to true. That’s it. One Boolean flips, and the chain of authority changes domain. AD becomes witness, not ruler.
You need proper scope to do this—specifically, the Group.OnPremisesSyncBehavior permission. Grant it once in Graph Explorer, consent globally, and you’re free to convert. No premium license for the switch itself, though you’ll need P1 for Group Writeback. Microsoft, for once, doesn’t charge for freedom—only for the round trip.
Immediately after the flip, add governance scaffolding. Assign at least one owner (and not “Domain Admins,” please). Enable self-service to let teams request membership without helpdesk tickets. Link the group into Access Packages and Access Reviews so it inherits lifecycle controls and compliance oversight. The post-conversion stage is where Entra begins to justify its authority—dynamic rules, approval flows, automated expirations.
And because you’re a responsible adult now, document the conversion. Audit logs automatically capture the event, but humans forget why they performed it. Note what’s been flipped, what remains pending, and who screamed during tests.
Humor with truth: when you finish, you’ll notice that formerly grayed-out membership fields in the portal suddenly turn editable. It feels dangerously empowering. That’s Microsoft finally admitting you can manage without supervision.
At this point, most organizations breathe a sigh of relief—until they realize not everyone has followed them into the cloud. Some servers still authenticate against legacy groups. That’s where Group Writeback redeems its reputation. By adding the converted Entra groups into the writeback scope, you allow them to project identities downward, ensuring ancient systems can still resolve access. It’s diplomacy again—new citizens managing old borders.
Once you’ve executed batch conversions, monitor synchronization cycles and review audit entries for each group. The rare failure usually traces back to mislabelled distribution lists or non-universal scopes. Correct and repeat until parity stabilizes.
When the dust settles, you’ll stand with a hybrid directory where Entra governs and AD merely mirrors. It’s democracy with a ceremonial monarch—perfectly British.
Section 5: Post‑Conversion Reality—Living in a Dual‑Authority World
After conversion, reality looks less utopian and more like a constitutional compromise. You have Entra-managed groups enjoying all the modern privileges: dynamic memberships, owner assignments, automated reviews. Simultaneously, you have AD relics that still gatekeep certain file shares or VPNs. And somewhere in between, some groups are mirrored through Group Writeback—citizens of both worlds, recognized by each but fully controlled by neither.
Managing this trinity requires strategy, not improvisation. Start with human-centric groups—those tied to departments, projects, or HR data. These belong in Entra; their memberships change dynamically with role attributes. Next, migrate security-role groups that define application access. Last come the vestigial distribution lists. Their time will come once Exchange hands them over.
Operationally, unification pays off fast. Your audits simplify—they run from a single pane showing which identities belong to which group and why. Governance reviews actually produce action instead of spreadsheets collecting dust. The Graph API now responds when automation requests membership changes, and Power Automate flows no longer fail because “property is read-only.” It’s liberation disguised as progress.
For HR systems and provisioning tools, the workflow inverts. Instead of shoving updates into AD and waiting for Connect to sync upward, they now talk straight to Entra through the Provisioning API. It’s faster, cleaner, and verifiable in logs that auditors can actually interpret without necromancy. Legacy connectors stay around only for the assets still breathing local air—file servers, line-of-business apps, and the occasional VPN concentrator waiting for retirement.
Monitoring becomes straightforward. Every Source-of-Authority change writes to the audit log, visible under Governance > Activity. You can filter by ChangedBy, TargetId, or OperationType, watching who’s taking groups to the cloud. Access Reviews then enforce lifecycle: if no owner reaffirms purpose, Entra retires them automatically. No more zombie objects idling in compliance purgatory.
Expect to maintain this dual-authority world for a while. A complete purge of AD-linked groups rarely happens overnight—politics and procurement stall reality. But that’s fine. Each cycle of conversions shortens the list of holdouts, and those holdouts lose influence as fewer systems depend on them. Eventually, you’ll check your configuration and realize that AD is running purely for backward compatibility and nostalgia.
Keep an eye on Microsoft’s trajectory: group Source of Authority conversion was only phase one. User-level conversion is next, enabling direct identity control from Entra without relying on AD at all. That’s the horizon line—pure cloud governance with optional writeback for the fossils that refuse extinction.
The dual system isn’t a burden; it’s the transitional ecosystem between eras. Treat AD as the legacy archive of record and Entra as the living constitution. They coexist, but only one evolves. Every month, run a simple audit: “Which groups remain AD-managed, and why?” If the answer sounds like sentimentality, schedule their conversion.
Administrators often find themselves oddly emotional at this stage—watching domains they’ve nurtured for decades become redundant. There’s a psychology to letting go of authority, even digital authority. But remember: progress is not betrayal; it’s succession.
Reframe success metrics from uptime of domain controllers to agility of governance. The more you automate through Entra, the less energy you spend maintaining ceremonial infrastructure. Eventually, Active Directory becomes what it always should have been—a backend for the few legacy identities still in exile.
And when you finally decommission your last on-prem controller, don’t mourn it. Archive its logs, display its last event ID proudly, and move on. Because by then, your identity realm will no longer revolve around a local clock or a dusty OU structure—it will live where your users already live: in the cloud, under Entra, governed by policies that refresh with the same frequency as reality itself.
Section 6: The Real Reason People Don’t Do This
Here’s the dirty truth: most admins don’t avoid Source of Authority conversion because it’s hard. They avoid it because it’s emotional. Active Directory isn’t code to them—it’s heritage. It’s the fortress they built early in their career, the domain where they held absolute power. Changing that feels like surrender.
Comfort masquerades as stability. They say, “Our hybrid setup works fine.” Of course it does, in the same way a cassette tape still plays music—technically correct but existentially obsolete. AD’s blinking green lights soothe the anxious admin soul. You can touch it, back it up, even walk down the server room to hug it during a maintenance window. The cloud offers no such reassurance. It’s everywhere and nowhere—logical, efficient, terrifyingly abstract.
The result is cognitive dissonance in patch cables. On one hand, they evangelize AI-driven governance and cloud automation. On the other, they panic if a domain controller’s fan sounds different. They call it prudence; it’s really nostalgia with a sysadmin lanyard.
Then there’s ego economics. Many organizations justify keeping AD purely because “it’s already there.” Translation: someone doesn’t want to explain to management that the infrastructure they’ve spent years maintaining has become ornamental. No one wants to be the administrator whose career milestone—“built the domain from scratch”—becomes a historical footnote. But let’s face it, maintaining AD for ego costs more than migrating it for efficiency. Electricity, licensing, patch management—each one a monthly invoice to denial.
And yet, it’s 2024. Some shops still treat domain controllers like family heirlooms, polishing them during weekend maintenance. It’s sentimental, almost sweet. But identity authority isn’t a nostalgia project—it’s a governance engine. Authority must live where activity lives, and right now, that’s the cloud. The place your users authenticate, collaborate, and get security enforced—the only place that matters.
This reluctance isn’t villainy. It’s inertia. Admins don’t mean to perpetuate the lie; they simply confuse familiarity with control. The truth? You’re not losing power—you’re relocating it. Moving Source of Authority to Entra doesn’t erase your expertise; it makes it relevant again. AD will survive as an archive, but the cloud is the arena where governance actually plays out. The sooner you accept that, the sooner you stop babysitting virtual ghosts.
Conclusion: Reclaiming Authority
Your groups don’t need therapy—they need emancipation. For decades, Active Directory raised them, disciplined them, and decided their destinies. But parenthood ends when the children outgrow the house, and Entra is that adulthood. Stop forcing cloud-native systems to obey an on-prem curfew.
Think of AD as the photo album—it holds memories. Entra is the person those memories belong to. By insisting AD remain in charge, you’re syncing baby pictures while the grown version is running an enterprise. It’s tender, but it’s wasteful. Identity must live where it acts, and today, action lives in Entra.
So reclaim authority—not from Microsoft or from policy logs, but from your own outdated instincts. Flip that bit. Set isCloudManaged to true. Assign ownership where governance belongs. Stop treating updates like foreign invasions and start treating them like maturation.
Because the longer you pretend your groups owe allegiance to a basement controller, the longer you delay every automation, every access review, every compliance proof that could’ve been done already. AD had its golden age; let it retire gracefully. Its function now is archival, not authoritarian.
Here’s the provocation: sovereignty isn’t about holding the crown. It’s about holding relevance. The admins who embrace Entra as their new capital will run circles around those worshipping at the altar of SYSVOL.
Now, if you’re ready to stop endlessly syncing the past and start governing the present, subscribe. Comment with your biggest hybrid headache, and join the ones who don’t fear the switch—they automate it. Authority isn’t given; it’s maintained. The question is: who’s maintaining yours?
This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit m365.show/subscribe