| title | description | author | manager | ms.service | ms.topic | ms.date | ms.subservice | ms.author |
|---|---|---|---|---|---|---|---|---|
Govern on-premises Active Directory(Kerberos) application access with groups from the cloud |
This article provides an overview of how to use cloud sync to govern on-premises application access using groups. |
billmath |
amycolannino |
entra-id |
conceptual |
04/26/2024 |
hybrid-cloud-sync |
billmath |
[!INCLUDE deprecation]
Scenario: Manage on-premises applications with Active Directory groups that are provisioned from and managed in the cloud. Microsoft Entra Cloud Sync allows you to fully govern application assignments in AD while taking advantage of Microsoft Entra ID Governance features to control and remediate any access related requests.
With the release of provisioning agent 1.1.1370.0, cloud sync now has the ability to provision groups directly to your on-premises Active Directory environment. You can use identity governance features to govern access to AD-based applications, such as by including a group in an entitlement management access package.
:::image type="content" source="media/govern-on-premises-groups/on-premises-group-writeback.png" alt-text="Conceptual drawing of Microsoft Entra Cloud Sync's Group Provision to AD." lightbox="media/govern-on-premises-groups/on-premises-group-writeback.png":::
For a great overview of cloud sync group provisioning to Active directory and what it can do for you, check out the video below.