Best practice for security management (policies/rules ...) in AzureAD, Conditional Access & InTune

%3CLINGO-SUB%20id%3D%22lingo-sub-1869848%22%20slang%3D%22en-US%22%3EBest%20practice%20for%20security%20management%20(policies%2Frules%20...)%20in%20AzureAD%2C%20Conditional%20Access%20%26amp%3B%20InTune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1869848%22%20slang%3D%22en-US%22%3E%3CP%3EWhat's%20the%20best%20practice%20for%20security%20management%20in%20AzureAD%2C%20to%20manage%20policies%2Frules%20in%20MEM%2FInTune%2C%20Conditional%20Access...%20to%20easily%20review%20and%20add%2Fremove%20access%20to%20a%20specific%20rule%2Fright.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CU%3ESome%20examples%20%3A%3C%2FU%3E%3CBR%20%2F%3EBest%20practice%20when%20we%20apply%20a%20Conditional%20Access%20to%20a%20group%20of%20user%20%3F%3CBR%20%2F%3E-%20Do%20we%20set%20a%20specific%20Azure%20AD%20group%20(Like%20for%20MFA%20%3A%20ForceMFA)%20in%20the%20Conditional%20Access%20policy.%20Then%20add%20groups%20or%20user%20in%20this%20Azure%20AD%20group.%3CBR%20%2F%3E-%20Or%20do%20we%20add%20directly%20Azure%20AD%20group%20or%20user%20(Like%20Boston-Manager%2C%20Florida-Marketing%E2%80%A6)%20in%20the%20Conditional%20Access%20settings%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20for%20Intune%2FMEM%20policy%20(Like%20Compliance%20policies)%20%3A%3CBR%20%2F%3E-%20Do%20we%20set%20a%20specific%20Azure%20AD%20group%20(Like%20InTune-Compliance-W10-Include%2C%20InTune-Compliance-W10-Exclude)%20for%20these%20policies.%20Then%20add%20groups%20or%20user%20in%20this%20group.%3CBR%20%2F%3E-%20Or%20do%20we%20add%20directly%20AzureAD%20group%20or%20user%20in%20the%20InTune%20policies%20settings%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThere%E2%80%99s%20a%20Microsoft%20best%20practice%20for%20AzureAD%20management%20like%20the%20AGDLP%20rule%20for%20AD%20OnPrem%20and%20advantage%2Fdisadvantage%20to%20use%20nested%20groups%20in%20AzureAD%20%3F%3CBR%20%2F%3EThanks%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1869848%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Management%20and%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

What's the best practice for security management in AzureAD, to manage policies/rules in MEM/InTune, Conditional Access... to easily review and add/remove access to a specific rule/right.

Some examples :
Best practice when we apply a Conditional Access to a group of user ?
- Do we set a specific Azure AD group (Like for MFA : ForceMFA) in the Conditional Access policy. Then add groups or user in this Azure AD group.
- Or do we add directly Azure AD group or user (Like Boston-Manager, Florida-Marketing…) in the Conditional Access settings ?

 

Same for Intune/MEM policy (Like Compliance policies) :
- Do we set a specific Azure AD group (Like InTune-Compliance-W10-Include, InTune-Compliance-W10-Exclude) for these policies. Then add groups or user in this group.
- Or do we add directly AzureAD group or user in the InTune policies settings ?

There’s a Microsoft best practice for AzureAD management like the AGDLP rule for AD OnPrem and advantage/disadvantage to use nested groups in AzureAD ?
Thanks !

0 Replies