If you’re like many organizations today, moving from on-premises infrastructure to a cloud-first approach is both exciting and a little overwhelming! One area where this transition really matters is identity and access management, especially when it comes to handling groups.
Handling this becomes easier thanks to Microsoft Entra’s SOA Conversion. I know it sounds technical, but stick with me, it’s a feature that genuinely makes group management simpler and aligns perfectly with a cloud-first strategy.
What Is Group Source of Authority (SOA)?
Traditionally, Active Directory Domain Services (AD DS) was the master for group objects. That meant any changes to memberships had to happen on-prem. This means more hybrid complexity, extra governance overhead, and slower modernization.
But with Entra’s SOA Conversion, you can shift this mastership from AD to Entra ID (cloud), This lets you manage groups directly in Microsoft Entra ID.
The benefits are simplified governance, faster access reviews, and less reliance on on-prem infrastructure, all while keeping security intact.
Pre-requisites for SOA Conversion
Converting a group’s SOA is straightforward if you follow a few key steps:
- Ensure you have the right roles: Hybrid Administrator for Graph API calls, and either Application Administrator or Cloud Application Administrator for app consent.
- Grant Permissions: You’ll need Group-OnPremisesSyncBehavior.ReadWrite.All to execute the changes.
- Update Sync Tools: Make sure your Entra Connect Sync is version 2.5.76.0+ or Entra Cloud Sync is 1.1.1370.0+.
How to Convert Group SOA from AD to Entra
- Identify the Group: Use the Entra Admin Center or Graph Explorer to find the group you want to convert.
- Check Prerequisites: Make sure the group isn’t mail-enabled or tied to Exchange on-prem. If you plan to provision back to AD later, set the group scope to Universal.
Once you’ve got all of that in place, the actual conversion is simple. For example, to convert GroupAB to cloud-managed, you’d run this in Graph Explorer:
PATCH https://graph.microsoft.com/beta/groups/{group-id}/OnPremisesSyncbehavior
{
"isCloudManaged": true
}
After that, verify that blockOnPremisesSync is set to true in the Entra Admin Center, and check audit logs to confirm the conversion. From here on, AD no longer controls that group, and all changes happen in the cloud.
SOA Conversion is a practical tool for modernizing identity infrastructure. Here’s why it’s worth paying attention to:
- Simplified Governance: Once a group is cloud-managed, you can apply Entra ID governance policies like access reviews, lifecycle policies, and provisioning rules.
- Cleaning Up On-Prem AD Clutter: Legacy groups that exist solely for cloud apps can now be fully managed in the cloud. This reduces clutter, simplifies management, and eventually shrinks your reliance on AD.
- Migrating DLs and MESGs to the Cloud: If your goal is to move all mail-related groups online, SOA conversion lets you do that cleanly, convert, recreate in Exchange Online, and decommission AD-based mail groups.
Strategic Impact
SOA conversion isn’t just a technical trick, it’s strategic! It helps organizations:
- Reduce AD DS reliance: Shrink your on-prem footprint and cut maintenance overhead.
- Centralize governance: Manage access, lifecycles, and compliance entirely in the cloud.
- Phase migration safely: Modernize identity management without disrupting day-to-day operations.
In short, if you’re aiming to accelerate your cloud-first journey, simplify governance, and modernize identity management, SOA Conversion is a tool you don’t want to overlook. It’s practical, strategic, and designed for organizations looking to reduce on-prem complexity while staying in full control.
If you haven’t explored it yet, now’s a great time. Take a look at your groups, identify candidates, and start moving them to Entra ID. It’s easier than it sounds, and the long-term benefits, governance, security, and operational simplicity, are well worth it.
Feel free to reach out if you have questions or need guidance on getting started.
