Introduction
In many organizations, RDP access to servers is controlled using long-lived AD groups. These groups can be synced to Entra ID via Entra Connect but permissions and access paths sit entirely in Active Directory.
Instead of replacing these groups and re-configuring every server, we convert the source of authority (SOA) from AD → Cloud, then leverage Entra Cloud Sync to write the group back to AD , keeping all your existing access rules in place.
Finally, we layer Entra ID Privileged Identity Management (PIM) to enforce just-in-time, audited, MFA-secured server access.
Perfect for environments where replacing AD access groups and updating GPOs/server permissions isn’t feasible.
Note: RDP access is used here only as an example scenario, every organization will have its own scenarios such as application access, file server permissions, database access, and other privileged resource controls. This approach applies across all similar use cases where secure, time-bound access is required.
From RDP Access example, In most real-world environments, privileged server access is typically managed through a dedicated PAM solution.
However, if a third-party PAM platform is not available, you can also leverage Microsoft Entra + Global Secure Access (Private Access) to securely publish and access on-prem servers and resources—benefiting from Entra capabilities like Conditional Access, PIM, MFA, device trust, and session controls for end-to-end secure access.
Ref: Microsoft Entra Private Network Connector: A Comprehensive Guide to Secure Internal Access
What We're Solving
| Challenge | Solution |
|---|---|
| Permanent AD group membership for server access | Time-bound, approval-based access via Entra PIM |
| Risky manual AD group changes | Cloud-managed group lifecycle + audit logs |
| Need to preserve existing AD permissions | Write back same group ,no GPO rewiring |
| Hybrid identity technical debt | SOA cloud conversion + modern governance |
You keep the same group name, same permissions, and same GPO links , only membership authority moves to Entra ID.
Prerequisites
- On-prem AD
- Entra ID P2 (or Entra ID Governance)
- Entra Cloud Sync agent deployed
- Cloud Sync handles Group write-back
- Existing AD security group(Universal Group only supported) mapped to RDP access
- Entra Connect still allowed for user/device sync (optional)
Step-by-Step Guide
Step 1 Identify the AD RDP Access Group
Find the group already used for RDP: Example: defender4\Remote-Access-Admins
Group Mapped in AD GPO for Remote Desktop Access
Step 2 Convert the Group SOA to Cloud Syn Back to Local AD
Detailed Process you can refer my previous blog How to Change Active Directory Group Source of Authority to Microsoft Entra ID
Go to Graph Explorer
Execute the update call to change isCloudManaged to true. For example:
PATCH https://graph.microsoft.com/v1.0/groups/{group-id}/onPremisesSyncBehavior
Request Body
{
"isCloudManaged": true
}
This moves membership control from AD → Entra.
- Group becomes cloud authoritative
- Prepares it for PIM and writeback
- No change to on-prem servers yet
Note: After SOA change, don't edit membership in AD anymore.
Now Lets Sync group back to Local AD by using Cloud Sync provisioning.
The provisioning cycle runs every 20 minutes, automatically sending any group updates to on-prem. The cloud-converted group is now successfully provisioned back to the local AD.
Since the group SID remains unchanged, all existing on-prem permissions and GPO links continue to work without any impact.
Step 3 Enable PIM for the Group
You can refer my Blog Exploring Microsoft Entra ID Privileged Identity Management (PIM) Part-3/3 (Groups & Access Review) for Group Entra ID PIM setup.
Now lets Onboard our Group to PIM
After completing the group PIM onboarding, we will assign our member user to the group as an eligible role assignment.
We also customized the Group PIM settings to fit our requirements , limiting member activation duration to 4 hours and enforcing MFA for membership activation.
Step 4 Validate PIM & Group Writeback
First, access the server via RDP without activating group membership.
As shown in the screenshot above, the user currently does not have RDP access.
You can also see that the group in the local AD contains only one user. Our actual user, Alice, is not yet a member because she hasn’t activated her eligible role.
Now, let’s sign in as Alice and activate the eligible membership role
Alice signs into her account, navigates to Privileged Identity Management, selects Groups, and sees the assigned group where she has eligible membership.
Alice selects Activate, enters the justification and duration, and then proceeds with activation. Since she already completed MFA when signing into the Azure portal, the same MFA claim is reused, and she is not prompted again. If an Authentication Context with strong authentication is applied, users can be required to provide stronger factors such as Windows Hello for Business or passkeys etc.
After a few seconds, Alice will see her group membership marked as active.
Now let’s verify the group membership status in the local AD group.
Alice’s group membership has been successfully updated. Now, let’s attempt to connect via RDP to the proxy VM where access has been granted.
Why This is Powerful
| Benefit | Description |
|---|---|
| Zero-trust for RDP | JIT, MFA, approval |
| No AD/GPO rework | Existing access stays intact |
| Audit everything | PIM + Entra logs + AD logs |
| Fast to deploy | No server-side reconfiguration |
| Cloud governance for old AD infra | Modern controls without migration |
Troubleshooting Tips
| Issue | Fix |
|---|---|
| Membership not updating AD | Verify Cloud Sync filter + agent health |
| Object Attribute conflict | After SOA change Make sure group updates are happening only from cloud |
| User still has access after expiry | Check Cloud Sync Provisioning + AD replication |
| Nested groups not applied | Avoid nested membership with writeback |
0 Comments