Security Groups in Azure AD

Security Groups in Azure AD can be static or dynamic and can contain devices and users. A security Group should not contain devices and users, create separate Security Groups for each.

When creating a new Security Group, think carefully about the naming convention. It should be clear to everyone that this is a security group and not a Microsoft 365 Group. Furthermore, it must be clear what the purpose of the group is. Examples:
Sg-NameOfGroup; Description of the Group
Sg-Dept-Sales; Members of the Sales department
Sg-ConditionalAccess-Exclude; Members of this group are excluded from Conditional Access

Also prevent nesting of Security Groups, do not make a Group member of a Group. Keep it flat. Nesting Security Groups has limited support within Azure so far. See this Microsoft Docs article for more details:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-membership-azure-portal

It is also wise not to allocate resources directly to devices and users, use Security Groups for this. A good example is the granting of licenses to users. For example, you make a standard user a member of the Sg-License-Standard Group, which means that the user is assigned the Microsoft 365 Business Premium license. This way you have more control over your licenses.

In some cases it is useful to have the groups filled automatically, for example if you want to create a group with all your Autopilot Devices. You create a new security group for this and choose:
Membership type: Dynamic Device > Add dynamic query > Add expression
To create a group that includes all of your Autopilot devices, enter: (device.devicePhysicalIDs -any (_ -contains “[ZTDId]”))
See this Microsoft Docs article for more details:
https://docs.microsoft.com/en-us/mem/autopilot/enrollment-autopilot

As you can read, a lot is possible with Security Groups, but keep thinking carefully about the naming convention.

You may also like...

Leave a Reply

Your email address will not be published.