How to Use Microsoft Graph API to Add Groups for Group Provisioning to Active Directory (Formerly Cloud Sync Group Writeback V2)

We know we can use the user interface in the Microsoft Admin portal to configure group writeback / group provisioning to Active Directory from Microsoft Entra ID via Cloud Sync, as shown below:

Group Provision to Active Directory

Configuring Microsoft Entra ID to AD sync via GUI:

Configuring group scoping via GUI:

Group Writeback via Graph API

There are good reasons, however, to configure group writeback/provisioning via Microsoft Graph API.

If you are using the “manual” scope and have selected specific groups, you can use the following Microsoft Graph calls:

To select groups programmatically:

POST /servicePrincipals/<service principal id for the job>/appRoleAssignedTo

{

“principalId”: “<group object id>”,

“resourceId”: “<service principal id for the job>”,

“appRoleId”: “1a0abf4d-b9fa-4512-a3a2–51ee82c6fd9f”

}

Reference: Grant an appRoleAssignment for a service principal — Microsoft Graph v1.0 | Microsoft Learn

To get the servicePrincipal ID of a sync job:

GET https://graph.microsoft.com/beta/servicePrincipals/?$select=id,displayName&$filter=applicationTemplateId%20eq%20%27fb81332f-3eca-4ecf-a939-4278e501d330%27

(Filtering by application template id = 27fb81332f-3eca-4ecf-a939–4278e501d330)