Best practice for security management (policies/rules ...) in AzureAD, Conditional Access & InTune

SRPfr · ‎Nov 09 2020

What's the best practice for security management in AzureAD, to manage policies/rules in MEM/InTune, Conditional Access... to easily review and add/remove access to a specific rule/right.

Some examples :
Best practice when we apply a Conditional Access to a group of user ?
- Do we set a specific Azure AD group (Like for MFA : ForceMFA) in the Conditional Access policy. Then add groups or user in this Azure AD group.
- Or do we add directly Azure AD group or user (Like Boston-Manager, Florida-Marketing…) in the Conditional Access settings ?

Same for Intune/MEM policy (Like Compliance policies) :
- Do we set a specific Azure AD group (Like InTune-Compliance-W10-Include, InTune-Compliance-W10-Exclude) for these policies. Then add groups or user in this group.
- Or do we add directly AzureAD group or user in the InTune policies settings ?

There’s a Microsoft best practice for AzureAD management like the AGDLP rule for AD OnPrem and advantage/disadvantage to use nested groups in AzureAD ?
Thanks !

Chandrasekhar_Arya · ‎Nov 11 2021

Add directly Azure AD groups NOT users in conditional access . Make sure you create a Conditional access groups that doesnt not need MFA , all your service accounts can be added to this group
Again my take is for intune is to go with Azure AD groups the way I see
Conditional access policy 1 ( Force MFA ) has AAD group1 , 2
Conditional access policy 2 ( Exclude MFA) has AAD group 3 which typically some service accounts etc
hope that helps

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Best practice for security management (policies/rules ...) in AzureAD, Conditional Access & InTune

Best practice for security management (policies/rules ...) in AzureAD, Conditional Access & InTune

Re: Best practice for security management (policies/rules ...) in AzureAD, Conditional Access &