Best practice for security management (policies/rules ...) in AzureAD, Conditional Access & InTune

Occasional Contributor

What's the best practice for security management in AzureAD, to manage policies/rules in MEM/InTune, Conditional Access... to easily review and add/remove access to a specific rule/right.

Some examples :
Best practice when we apply a Conditional Access to a group of user ?
- Do we set a specific Azure AD group (Like for MFA : ForceMFA) in the Conditional Access policy. Then add groups or user in this Azure AD group.
- Or do we add directly Azure AD group or user (Like Boston-Manager, Florida-Marketing…) in the Conditional Access settings ?

 

Same for Intune/MEM policy (Like Compliance policies) :
- Do we set a specific Azure AD group (Like InTune-Compliance-W10-Include, InTune-Compliance-W10-Exclude) for these policies. Then add groups or user in this group.
- Or do we add directly AzureAD group or user in the InTune policies settings ?

There’s a Microsoft best practice for AzureAD management like the AGDLP rule for AD OnPrem and advantage/disadvantage to use nested groups in AzureAD ?
Thanks !

1 Reply
Add directly Azure AD groups NOT users in conditional access . Make sure you create a Conditional access groups that doesnt not need MFA , all your service accounts can be added to this group
Again my take is for intune is to go with Azure AD groups the way I see
Conditional access policy 1 ( Force MFA ) has AAD group1 , 2
Conditional access policy 2 ( Exclude MFA) has AAD group 3 which typically some service accounts etc
hope that helps