Sync Users from Entra to AD

Hey Luke, you’re correct—Azure AD Cloud Sync (aka Microsoft Entra hybrid cloud sync) only syncs on-premises AD objects into Entra ID (and supports group writeback only, not user provisioning back into AD). There isn’t a “flip-the-switch” to push users from Entra into your DC VM via Cloud Sync. To get Entra-managed users created and updated in your on-prem AD, you have two main supported options:

1. Use the Microsoft Entra (Azure AD) Provisioning Service to on-premises AD • In the Entra admin center, go to Enterprise Applications > New application > add the built-in “Microsoft Active Directory” app • Under Provisioning, install the lightweight provisioning agent on a server that has line-of-sight to your Domain Controller • Configure your attribute mappings, scoping filters (e.g. user status = Enabled), OU targets, etc. • Start the job and Entra users will be created/updated as AD accounts in your chosen OU • (If you need passwords, enable Password Writeback in your Azure AD Connect configuration so newly provisioned accounts get a synchronized password) Docs: • https://learn.microsoft.com/entra/identity/hybrid/provision-on-premises-active-directory • https://learn.microsoft.com/entra/identity/hybrid/cloud-sync/what-is-cloud-sync
2. Microsoft Identity Manager (MIM) with the Azure AD Connector • Deploy MIM in your on-prem environment and install the MIM Azure AD connector • Configure your sync rules to import users from Entra and export them into AD • This is a more heavyweight approach but gives you full control over attribute flows, transformations, join rules, etc. Docs: • https://docs.microsoft.com/microsoft-identity-manager/

Quick sketch of the flow with the Entra provisioning service:

1. Grant your service account the necessary rights to the target OU in AD (create/update/delete users).
2. Install the Entra provisioning agent on a member server or DC.
3. In the Entra portal’s Provisioning blade, point to your on-prem agent, set your attribute mappings (e.g. userPrincipalName, displayName, mail).
4. Set your scoping rules so you only provision the Entra users you want.
5. Run the provisioning job; monitor errors under Provisioning > Job history.

If you don’t have Azure AD Premium licensing or can’t install an agent, your fallback is to script it yourself using Graph API + the ActiveDirectory PowerShell module:

• Pull users from Entra (Get-MgUser)

• Create/update AD users (New-ADUser / Set-ADUser) on your DC VM

Hope that points you in the right direction!

—

Reference list

1. Provisioning Entra users to on-prem AD via the Azure AD provisioning service https://learn.microsoft.com/entra/identity/hybrid/provision-on-premises-active-directory
2. What is Microsoft Entra Cloud Sync (hybrid cloud sync)? https://learn.microsoft.com/entra/identity/hybrid/cloud-sync/what-is-cloud-sync
3. Microsoft Identity Manager overview https://docs.microsoft.com/microsoft-identity-manager/
4. Password writeback in Azure AD Connect (if you need cloud passwords for on-prem accounts) https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-install-custom#password-writeback

You’ve run into a limitation rather than a misconfiguration. Entra Connect is based on AD being the authoritative source for user objects, not Entra ID. There isn’t a native Microsoft-supported, production-ready tool today that fully creates and manages AD user objects purely from Entra ID as the source of truth. The platform direction has been to move away from AD, not rebuild it from Entra.

So what you’re trying to do is possible, but only with a custom approach. You can script the creation of AD users on your domain controller. This can be done with Microsoft Graph to read users from Entra and PowerShell against AD to create and maintain them.

A simple pattern looks like this: query Entra users via Graph, check if they exist in AD (for example by UPN or a mapped attribute), and create them if not. You’d run this on a scheduled job or automation account that has line of sight to your domain controller.

For example, retrieving users from Entra:

Connect-MgGraph -Scopes "User.Read.All"
$users = Get-MgUser -All

Then for each user, check and create in AD:

Import-Module ActiveDirectory

foreach ($u in $users) {
    $existing = Get-ADUser -Filter "UserPrincipalName -eq '$($u.UserPrincipalName)'" -ErrorAction SilentlyContinue

    if (-not $existing) {
        New-ADUser `
            -Name $u.DisplayName `
            -GivenName $u.GivenName `
            -Surname $u.Surname `
            -UserPrincipalName $u.UserPrincipalName `
            -SamAccountName ($u.UserPrincipalName.Split("@")[0]) `
            -EmailAddress $u.Mail `
            -Enabled $true `
            -AccountPassword (ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force)
    }
}

You’d then extend this to handle updates, disables, and possibly group membership if your legacy apps depend on that. You also need to think about attribute mapping carefully, especially samAccountName length limits and uniqueness, since Entra doesn’t enforce the same constraints.

An alternative approach is described at https://www.alitajran.com/sync-microsoft-entra-id-user/ - this actually allows you to maintain the relationship between AD users and Entra ID users - so even though a bit more complex, it's worth considering.

Finally, if you want a commercial product that allows you to implement it, there are identity governance or provisioning tools like Microsoft Identity Manager, One Identity, or SailPoint that can do Entra-to-AD provisioning, but those add cost and complexity.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin