Automate hybrid Active Directory with a PowerShell runbook

In a hybrid environment your users live in two places at once: in Microsoft Entra ID and in your on-prem Active Directory. You manage access in both. In the cloud you can use dynamic groups, but on-prem AD has no such mechanism. This article shows how to automate group memberships in on-prem AD based on attributes anyway, with a PowerShell runbook on a hybrid worker and Entra Connect syncing the changes back. One rule model drives both directories.

TL;DR

• On-prem Active Directory has no dynamic groups, so attribute-based membership has to be driven by something you run yourself.
• A PowerShell runbook on a hybrid worker reads attributes from AD and applies the group memberships in AD.
• Entra Connect syncs those AD changes back to Entra ID, so the cloud follows along.
• In the cloud you set up the same logic with Entra ID dynamic groups. One rule model for both directories.
• ServiceChanger reacts by default to the attributes already in your directory. Always test a new rule on a small test group first.

Why on-prem AD differs from the cloud

Entra ID has dynamic groups: you write a membership rule and Entra fills the group itself. On-prem Active Directory does not. AD groups are static. If you want an AD group to follow from an attribute like department or job title, there has to be a process that reads the attributes and updates the memberships.

That is exactly the gap a runbook fills. The runbook is a PowerShell script that runs on a schedule or a trigger, reads the relevant attributes, and puts the right users in the right AD groups. And what should be removed, it removes again.

The role of the hybrid worker and Entra Connect

A runbook in an Azure automation account runs in the Azure cloud by default and cannot reach your domain controllers from there. For on-prem work you use a hybrid worker: a machine in your own network that runs the runbook locally, with line of sight to AD. The runbook uses the Active Directory PowerShell module to change groups and memberships.

Entra Connect does the other half. As soon as the runbook changes a membership in AD, Entra Connect picks that change up on the next sync and pushes it to Entra ID. So your cloud side needs to know nothing special: it simply sees the synchronized group.

The flow in order:

1. An attribute in AD changes (for example a user's department).
2. The runbook runs on the hybrid worker, reads the attribute, and determines the right set of groups.
3. The runbook updates the AD group memberships: it adds what belongs, removes what no longer fits.
4. Entra Connect syncs the changed groups to Entra ID.
5. The cloud side follows along without a separate action.

The model: one attribute, a set of groups

The core of the model is simple. One attribute value stands for a whole set of groups. You set the attribute, the set follows. Change the attribute, the set swaps and the stale memberships are cleaned up. No separate tickets per group, no forgotten leftover access.

In pseudocode the rule looks like this:

# Department Finance -> set of AD groups
if user.department == "Finance":
    target_groups = [
        "AD-Finance-FileShare",
        "AD-Finance-Reporting",
        "AD-Finance-Printers"
    ]

# Determine the difference and apply it
add    = target_groups not in user.current_groups
remove = managed_groups in user.current_groups but not in target_groups

Add-ADGroupMember    for each group in add
Remove-ADGroupMember for each group in remove

Note the difference between target_groups and managed_groups. The runbook only cleans up groups it manages itself. Groups you assign by hand outside the model are left alone. That stops an automation pass from wiping out deliberate manual exceptions.

A concrete walkthrough. An employee moves from Sales to Finance. Someone changes the department attribute from Sales to Finance, in AD or in the source system that writes to AD. On the next run the runbook reads the new value, determines that the Finance set is now correct, adds the three Finance groups, and removes the Sales groups it manages. Entra Connect syncs the new groups to Entra ID. The employee has the right access in both directories, and the old access is gone.

One rule model for two directories

The gain is one rule set that drives both sides. In the cloud you translate the model to Entra ID dynamic groups with a membership rule on the same attribute. On-prem the runbook translates the same attribute to AD group memberships. You manage one set of rules, not two separate worlds drifting apart.

This is how ServiceChanger works. It manages memberships of groups and roles in both Entra ID and on-prem AD, rules-based. In the cloud through dynamic groups, on-prem through the PowerShell runbook on the hybrid worker, with Entra Connect syncing it back. By default ServiceChanger reacts to the attributes already in your directory. If you want to connect an HR system for onboarding and offboarding, joiner-mover-leaver, we build that as custom work with automation accounts and runbooks in Azure. That is not a standard feature.

Keep one thing clear: ServiceChanger has no shadow mode. The safe way to roll out a new rule is to run it on a small test group first, check the result, and only then go wider.

FAQ

Do I need an Azure automation account? For on-prem AD work you use a runbook that runs on a hybrid worker in your own network, so it can reach your domain controllers. The automation account orchestrates the runbooks. The runbook itself does the work locally.

What does Entra Connect do here exactly? Entra Connect syncs the changes the runbook makes in on-prem AD back to Entra ID. The runbook updates AD, Entra Connect makes sure the cloud follows. You do not have to update the cloud side separately for synchronized groups.

What happens to manual exceptions? The runbook only manages the groups that fall within the model. Groups you assign by hand outside it are left untouched. That keeps automation from clashing with deliberate exceptions.

Does ServiceChanger have a shadow mode? No. The safe rollout is to run a new rule on a small test group first and check the result before rolling it out wider.

Further reading

• Entra ID vs Active Directory in 2026 for the difference between the two directories in a hybrid environment.
• ABAC in Entra ID for the attribute-based model in the cloud.
• ABAC docs for how the rule model in ServiceChanger works.

Next step

Want to drive your hybrid Active Directory from one rule model, without maintaining memberships by hand? ServiceChanger manages groups and roles in Entra ID and on-prem AD, rules-based, with a PowerShell runbook on a hybrid worker and Entra Connect. Book a demo.