This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 92%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hello Community,
I have the problem that we want to switch from a pure Entra environment (with users, groups, etc.) to a hybrid model, in order to be able to use the advantages of on-prem AD - especially x802.1/user authentication in WiFi via EAP-TLS.
I'm aware of a solution with a cloud RADIUS server but they seem to be a bit too pricy (unless i'm incorrect in my assumption?)
Unfortunately, I found out that this way is not as easy as the other way around (from on-prem to hybrid).
If I have understood correctly, it is not possible to automatically migrate users from Entra to AD because Entra does not have user writeback rights?
I really hope I am wrong here but unfortunately I have found sobering little Microsoft documentation apart from this (https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory) which only allows group creation? I would be very grateful for enlightenment, if available a guide or further documentation would also be appreciated.
Many thanks in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Paulllll_ Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
There is no user writeback feature indeed, the usual approach is to export the properties of the cloud users via PowerShell/Graph API and use the exported data to create matching accounts in your on-premises AD. After which, you can configure the sync.