Havent tested that but wouldnt that mean you syncing Domain admin accounts to Azure? Even if only during the writeback phase? thats generally not recommended
Entra Cloud Sync - Group Writeback
Hi, could this feature be used as PAM solution for temporary Domain Admins group membership in AD DS (group synced from Entra to AD DS would be a member of Domain Admins group, empty by default, and admins would get a temporary membership in synced group using PIM)? Currently I am using native PAM AD DS optional feature with GUI tool created in PS Studio leveraging JEA - admins request temporary membership in Domain Admins group which is automatically approved.
2 answers
Sort by: Most helpful
-
-
Marcin Policht 11,305 Reputation points MVP
2024-04-23T11:38:26.3033333+00:00 As far as I recall, the writeback creates groups with the Universal scope - they cannot be added to a domain global group (such as Domain Admins)
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin