What's the best practice for security management in AzureAD, to manage policies/rules in MEM/InTune, Conditional Access... to easily review and add/remove access to a specific rule/right.
Some examples : Best practice when we apply a Conditional Access to a group of user ? - Do we set a specific Azure AD group (Like for MFA : ForceMFA) in the Conditional Access policy. Then add groups or user in this Azure AD group. - Or do we add directly Azure AD group or user (Like Boston-Manager, Florida-Marketing…) in the Conditional Access settings ?
Same for Intune/MEM policy (Like Compliance policies) : - Do we set a specific Azure AD group (Like InTune-Compliance-W10-Include, InTune-Compliance-W10-Exclude) for these policies. Then add groups or user in this group. - Or do we add directly AzureAD group or user in the InTune policies settings ?
There’s a Microsoft best practice for AzureAD management like the AGDLP rule for AD OnPrem and advantage/disadvantage to use nested groups in AzureAD ? Thanks !